You can use the TLS Configuration utility to enable or disable TLS versions on an ESXi host. As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

For ESXi hosts, you use a different utility than for the other components of your vSphere environment. The utility is release-specific, and cannot be used on a previous release.

You can write a script to configure multiple hosts.

Prerequisites

Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

The Bash shell must be enabled on the vCenter Server Appliance.

Procedure

  1. Using SSH, connect to the vCenter Server Appliance with the user name and password of the vCenter Single Sign-On user who can run scripts.
  2. To enable the Bash shell, enter shell at the command line.
  3. Go to the directory where the script is located. 
    cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator
  4. For an ESXi host that is part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command. 
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command. 
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
  5. For an individual host that is not part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 for an individual host, run the following command. 
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 for an individual host, run the following command. 
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.2
      Note: To reconfigure a standalone ESXi host, log into a vCenter Server system and run the reconfigureEsx command with the ESXiHost -h HOST -u ESXi_USER options. For the HOST option, you can specify the IP address or FQDN of a single ESXi host, or a list of host IP addresses or FQDNs. For example, logging in to a vCenter Server and running the following command enables both TLS 1.1 and TLS 1.2 on two ESXi hosts: 
      ./reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2

      Alternatively, to reconfigure a standalone ESXi host, you can log into the host and modify the UserVars.ESXiVPsDisabledProtocols advanced setting. See the topic titled "Configure Advanced TLS/SSL Key Options" in the vSphere Single Host Management - VMware Host Client documentation for more information.

  6. Reboot the ESXi host to complete the TLS protocol changes.