In a dual-region environment, you first replace the certificates of the SDDC components in Region A.