You can use the TLS Configuration utility to enable or disable TLS versions on an ESXi host. As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

For ESXi hosts, you use a different utility than for the other components of your vSphere environment. The utility is release-specific, and cannot be used on a previous release.

You can write a script to configure multiple hosts.

Prerequisites

Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

Procedure

  1. Log in to the vCenter Server system with the user name and password of the vCenter Single Sign-On user who can run scripts.
  2. Go to the directory where the script is located.
    OS Command
    Windows
    cd %VMWARE_CIS_HOME%\TlsReconfigurator\EsxTlsReconfigurator
    Linux
    cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator
  3. For an ESXi host that is part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
      Linux
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
      Linux
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
  4. For an individual host that is not part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.2
      Linux
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.2
      Linux
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.2
      Note: To reconfigure a standalone ESXi host, log into a vCenter Server system and run the reconfigureEsx command with the ESXiHost -h HOST -u ESXi_USER options. For the HOST option, you can specify the IP address or FQDN of a single ESXi host, or a list of host IP addresses or FQDNs. For example, logging in to a vCenter Server and running the following command enables both TLS 1.1 and TLS 1.2 on two ESXi hosts:
      ./reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2

      Alternatively, to reconfigure a standalone ESXi host, you can log into the host and modify the UserVars.ESXiVPsDisabledProtocols advanced setting. See the topic titled "Configure Advanced TLS/SSL Key Options" in the vSphere Single Host Management - VMware Host Client documentation for more information.

  5. Reboot the ESXi host to complete the TLS protocol changes.