Transport Layer Security Key

The Transport Layer Security (TLS) key secures communication with the host using the TLS protocol. Upon first boot, the ESXi host generates the TLS key as a 2048-bit RSA key. Currently, ESXi does not implement automatic generation of ECDSA keys for TLS. The TLS private key is not intended to be serviced by the administrator.

The TLS key resides at the following non-persistent location:

/etc/vmware/ssl/rui.key

The TLS public key (including intermediate certificate authorities) resides at the following non-persistent location as an X.509 v3 certificate :

/etc/vmware/ssl/rui.crt

When you use vCenter Server with your ESXi hosts, vCenter Server generates a CSR automatically, signs it using the VMware Certificate Authority (VMCA), and generates the certificate. When you add an ESXi host to vCenter Server, vCenter Server installs that resulting certificate on the ESXi host.

The default TLS certificate is self-signed, with a subjectAltName field matching the host name at installation. You can install a different certificate, for example, to make use of a different subjectAltName or to include a particular Certificate Authority (CA) in the verification chain. See Replacing ESXi SSL Certificates and Keys.

You can also use the VMware Host Client to replace the certificate. See vSphere Single Host Management - VMware Host Client.

SSH Key

The SSH key secures communication with the ESXi host using the SSH protocol. Upon first boot, the system generates a nistp256 ECDSA key, and the SSH keys as 2048-bit RSA keys. The SSH server is deactivated by default. SSH access is intended primarily for troubleshooting purposes. The SSH keys are not intended to be serviced by the administrator. Logging in through SSH requires administrative privileges equivalent to full host control. To enable SSH access, see Enable Access to the ESXi Shell.

The SSH public keys reside at the following location:

/etc/ssh/ssh_host_rsa_key.pub

/etc/ssh/ssh_host_ecdsa_key.pub

The SSH private keys reside at the following location:

/etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_ecdsa_key

TLS Cryptographic Key Establishment

Configuration of TLS cryptographic key establishment is governed by choice of TLS cipher suites, which select one of the RSA-based key transports (as specified in NIST Special Publication 800-56B) or ECC-based key agreements using ephemeral Ecliptic Curve Diffie Hellman (ECDH) (as specified in NIST Special Publication 800-56A).

SSH Cryptographic Key Establishment

Configuration of SSH cryptographic key establishment is governed by the SSHD configuration. ESXi provides a default configuration that permits RSA-based key transport (as specified in NIST Special Publication 800-56B), ephemeral Diffie Hellman (DH) (as specified in NIST Special Publication 800-56A) key agreement, and ephemeral Ecliptic Curve Diffie Hellman (ECHD) (as specified in NIST Special Publication 800-56A). The SSHD configuration is not intended to be serviced by the administrator.