The most secure approach is to install the trusted PEM file manually on each template that uses the guest agent, but you can also allow the guest agent to trust the first machine to which it connects.
Installing the PEM file for the trusted server on each template along with the guest agent is the most secure approach. For security, the guest agent does not check for a certificate if a PEM file already exists in the VRMGuestAgent directory. If the server certificates change, you must manually rebuild your templates with the new PEM files.
You can also configure the guest agent to populate the trusted PEM file on first use. This is less secure than manually installing the PEM files on each template, but is more flexible for environments where you might use a single template for multiple servers. To allow the guest agent to trust the first server it connects to, you create a template with no PEM files in the VRMGuestAgent directory. The guest agent populates the PEM file the first time it connect to a server. The template always trusts the first system to which it connects. For security, the guest agent does not check for a certificate if a PEM file already exists in the VRMGuestAgent directory. If the server certificate changes, you must remove the PEM file from your VRMGuestAgent directory. The guest agent installs the new PEM file the next time it connects to the server.