You can configure the security protocols and cryptographic algorithms that are used to encrypt communications with the ESXi host.
The Transport Layer Security (TLS) key secures communication with the host using the TLS protocol. Upon first boot, the ESXi host generates the TLS key as a 2048-bit RSA key. Currently, ESXi does not implement automatic generation of ECDSA keys for TLS. The TLS private key is not intended to be serviced by the administrator.
The SSH key secures communication with the ESXi host using the SSH protocol. Upon first boot, the system generates the SSH key as a 2048-bit RSA key. The SSH server is deactivated by default. SSH access is intended primarily for troubleshooting purposes. The SSH key is not intended to be serviced by the administrator. Logging in through SSH requires administrative privileges equivalent to full host control. To enable SSH access, see Enable the Secure Shell (SSH) in the VMware Host Client.
|UserVars.ESXiVPsAllowedCiphers||!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES||The default cipher control string.|
|UserVars.ESXiVPsDisabledProtocols||sslv3,tlsv1,tlsv1.1||By default enables TLS v1.0, v1.1, and v1.2 protocols. SSL v3.0 is disabled. If you do not specify a protocol, all protocols are enabled.|
|Config.HostAgent.ssl.keyStore.allowAny||False||You can add any certificate to the ESXi CA trust store.|
|Config.HostAgent.ssl.keyStore.allowSelfSigned||False||You can add non-CA self-signed certificates to the ESXi CA trust store, that is, certificates that do not have the CA bit set.|
|Config.HostAgent.ssl.keyStore.discardLeaf||True||Discards leaf certificates added to the ESXi CA trust store.|
To configure the ESXi security key settings:
- Click Manage in the VMware Host Client inventory and click Advanced Settings.
- Enter the security key in the Search text box and click the Search icon.
- Right-click the security key and select Edit option from the drop-down menu.
The Edit option dialog box opens.
- In the New value field entre the new value and click Save.
- (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.