When you modify Web proxy settings, you have several encryption and user security guidelines to consider.


Restart the host process after making any changes to host directories or authentication mechanisms.

  • Do not set up certificates using a password or pass phrases. ESXi does not support passwords or pass phrases, also known as encrypted keys. If you set up a pass word or pass phrase, ESXi processes cannot start correctly.

  • You can configure the Web proxy so that it searches for certificates in a location other than the default location. This capability proves useful for companies that prefer to centralize their certificates on a single machine so that multiple hosts can use the certificates.


    If certificates are not stored locally on the host—for example, if they are stored on an NFS share—the host cannot access those certificates if ESXi loses network connectivity. As a result, a client connecting to the host cannot successfully participate in a secure SSL handshake with the host.

  • To support encryption for user names, passwords, and packets, SSL is enabled by default for vSphere Web services SDK connections. If you want to configure the these connections so that they do not encrypt transmissions, disable SSL for your vSphere Web Services SDK connection by switching the connection from HTTPS to HTTP.

    Consider disabling SSL only if you created a fully trusted environment for these clients, where firewalls are in place and transmissions to and from the host are fully isolated. Disabling SSL can improve performance, because you avoid the overhead required to perform encryption.

  • To protect against misuse of ESXi services, most internal ESXi services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESXi. You can see a list of services on ESXi through an HTTP welcome page, but you cannot directly access the Storage Adapters services without proper authorization.

    You can change this configuration so that individual services are directly accessible through HTTP connections. Do not make this change unless you are using ESXi in a fully trusted environment.

  • When you upgrade vCenter Server, the certificate remains in place.