After you generate a certificate for a management product in Region A that is signed by the two-layered certificate authority on the child AD server in the region, replace the default certificate or an expired certificate with newly-signed one on the product instance in the region.
Generate a certificate for the products in this validated design in one of the following ways:
Use the VMware Validated Design Certificate Utility. See Use the Certificate Generation Utility to Generate Certificates Automatically in Region A.
Generate Certificate Signing Requests manually and use them to have the product certificates signed by the certificate authority on the child AD server in Region A. See #GUID-77202566-4B96-4C13-8693-3B1C956FDD19 and #GUID-BB614D41-1EF4-4701-A480-6327C93510D1.