The system administrator can replace the Management Agent certificate when it expires or replace a self-signed certificate with one issued by a certificate authority.

About this task

Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose Management Agent you want to update.


  • Obtain the Management Agent identifier in the Node ID column before you remove the record. You use this identifier when you create the new Management Agent certificate and when you register it.

  • When you request a new certificate, ensure that the Common Name (CN) attribute in the certificate subject field for the new certificate is typed in the following format:

    VMware Management Agent 00000000-0000-0000-0000-000000000000

    Use the string VMware Management Agent, followed by a single space and the GUID for the Management Agent in the numerical format shown.


  1. Stop the Management Agent service from your Windows Services snap-in.
    1. From your Windows machine, click Start.
    2. In the Windows Start Search box, type services.msc and press Enter.
    3. Right-click VMware vCloud Automation Center Management Agent service and click Stop to stop the service.
  2. Remove the current certificate from the machine. For information about managing certificates on Windows Server 2008 R2, see the Microsoft Knowledge Base article at or the Microsoft wiki article at
    1. Open Microsoft Management Console with the command mmc.exe.
    2. Press Ctrl + M to Add a new snap-in in the console or choose the option from the File menu list
    3. Choose Certificates and press Add
    4. Select Computer account and click Next
    5. Choose "Local computer: (the computer this console is running on)" radio button and click
    6. Click OK.
    7. Expand Certificates (Local Computer) on the left side of the console
    8. Expand Personal and choose Certificates folder
    9. In the left side choose the current Management Agent certificate and press Delete
    10. Confirm the deletion of the certificate by pressing Yes
  3. Register the Management Agent certificate with the vRealize Automation appliance management site.
    1. Open a command prompt as an administrator and navigate to the Cafe directory on the machine on which the Management Agent is installed at <vra-installation-dir>\Management Agent\Tools\Cafe, typically C:\Program Files (x86)\VMware\vCAC\Management Agent\Tools\Cafe
    2. Type the Vcac-Config.exe RegisterNode command with options to register the Management Agent identifier and certificate in one step. Include the Management Agent identifier you recorded earlier as the value for the -nd option.
      Table 1. Required Options and Arguments for Vcac-Config.exe RegisterNode






      The URL of the management site host, including a port specification



      The user name, which must be the root user



      Password for the root user as a quoted string



      The machine name of the Management Agent host, including domain information

      This value must match the hostname that the current node is registered with in the vRealize Automation appliance. Can be seen with option 1 specified above for the node ID or in the VAMI - Distributed Deployment Information table. If it is not the same an error will be return when the command is executed: Failure: Cannot add duplicate node id 00000000-0000-0000-0000-000000000000. ]



      Management Agent identifier



      Thumbprint of the SSL certificate of the management console.

      The following example shows the command format:

      Vcac-Config.exe RegisterNode -v -vamih "" 
      -cu "root" -cp "password" -hn "" 
      -nd "00000000-0000-0000-0000-000000000000" 
      -tp "0000000000000000000000000000000000000000" 

Command to Register a Management Agent Certificate

Vcac-Config.exe" RegisterNode -v -vamih "vra-va.eng.mycompany:5480" -cu "root" -cp "secret" -hn "iaas.eng.mycompany" -nd "C816CFBX-4830-4FD2-8951-C17429CEA291" -tp "70928851D5B72B206E4B1CF9F6ED953EE1103DED"