You can use the TLS Configuration utility to disable TLS versions on an ESXi host. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2.

Before you begin

Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

This procedure explains how to perform the task on a single host. You can write a script to configure multiple hosts.

About this task

For ESXi hosts, you use a different script than for the other components of your vSphere environment.

Note:

The script disables both TLS 1.0 and TLS 1.1 unless you specify the -p option.

Procedure

  1. Log in to the ESXi host as a user who can run scripts and go to the directory where the script is located.

    OS

    Command

    Windows

    cd ..\EsxTlsReconfigurator

    Linux

    cd ../EsxTlsReconfigurator
  2. On a host that is part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command.

      OS

      Command

      Windows

      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2

      Linux

      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command.

      OS

      Command

      Windows

      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2

      Linux

      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
  3. On an individual host, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command.

      OS

      Command

      Windows

      reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2

      Linux

      ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the following command.

      OS

      Command

      Windows

      reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2

      Linux

      ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2
  4. Reboot the ESXi host to complete the TLS protocol changes.