You can configure the security protocols and cryptographic algorithms that are used to encrypt communications with the ESXi host.
The Transport Layer Security (TLS) key secures communication with the host using the TLS protocol. Upon first boot, the ESXi host generates the TLS key as a 2048-bit RSA key. Currently, ESXi does not implement automatic generation of ECDSA keys for TLS. The TLS private key is not intended to be serviced by the administrator.
The SSH key secures communication with the ESXi host using the SSH protocol. Upon first boot, the system generates the SSH key as a 2048-bit RSA key. The SSH server is deactivated by default. SSH access is intended primarily for troubleshooting purposes. The SSH key is not intended to be serviced by the administrator. Logging in through SSH requires administrative privileges equivalent to full host control. To enable SSH access, see Enable the Secure Shell (SSH) in the VMware Host Client.
| Key | Default | Description |
|---|---|---|
| UserVars.ESXiVPsAllowedCiphers | !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES | The default cipher control string. |
| UserVars.ESXiVPsDisabledProtocols | sslv3,tlsv1,tlsv1.1 | By default enables TLS v1.0, v1.1, and v1.2 protocols. SSL v3.0 is disabled. If you do not specify a protocol, all protocols are enabled. |
| Config.HostAgent.ssl.keyStore.allowAny | False | You can add any certificate to the ESXi CA trust store. |
| Config.HostAgent.ssl.keyStore.allowSelfSigned | False | You can add non-CA self-signed certificates to the ESXi CA trust store, that is, certificates that do not have the CA bit set. |
| Config.HostAgent.ssl.keyStore.discardLeaf | True | Discards leaf certificates added to the ESXi CA trust store. |
To configure the ESXi security key settings:
