After you generate certificates for management products that are signed by the two-layered certificate authority on the child AD server in the region, replace the default certificate or a certificate that is about to expire with a newly-signed one.