From ESXi 6.7U3 release, the following host agent settings are available with the listed default values:
Key | Default | Description |
---|
Config.HostAgent.ssl.keyStore.allowAny | false | Allow any certificates to be added to the host CA store. Disables CA Checks. |
Config.HostAgent.ssl.keyStore.allowSelfSigned | false | Allow self-signed certficates to be added to the host CA store. |
Config.HostAgent.ssl.keyStore.discardLeaf | true | Discard leaf certificates when adding to CA store. Leaf certificates in a CA store are generally a misconfiguration. |
These settings will not impact existing self-signed certs in the trust store of a host. Hwoever, they will disallow any new self-signed certs from being added to a host’s trust store.
An upgrade would hence not impact existing vVol datastores mounted on a host, a fresh installed host will however not be able to make a session with the VASA provider. vCenter will not be able to push self-signed certs to a host newly added to vCenter.