By default, vSphere Authentication Proxy adds any host if it has the IP address of that host in its access control list. For additional security, you can enable client authentication. If client authentication is enabled, vSphere Authentication Proxy also checks the certificate of the host.


  • Verify that the vCenter Server system trusts the host. By default, when you add a host to vCenter Server, the host is assigned a certificate that is signed by a vCenter Server trusted root CA. vSphere Authentication Proxy trusts vCenter Server trusted root CA.
  • If you plan on replacing ESXi certificates in your environment, perform the replacement before you enable vSphere Authentication Proxy. The certificates on the ESXi host must match that of the host's registration.


  1. Log in to the vCenter Server system as a user with administrator privileges.
  2. Run the command to enable access to the Bash shell.
  3. Go to the /usr/lib/vmware-vmcam/bin/ directory where the camconfig script is located.
  4. Run the following command to enable client authentication.
    camconfig ssl-cliAuth -e
    Going forward, vSphere Authentication Proxy checks the certificate of each host that is added.
  5. If you later want to disable client authentication again, run the following command.
    camconfig ssl-cliAuth -n