After you generate a certificate for a management product in Region A that is signed by the two-layered certificate authority on the child AD server in the region, replace the default certificate or an expired certificate with a newly-signed one.