In a dual-region environment, you first replace the certificates of the SDDC components in Region A. Create and Add a Microsoft Certificate Authority TemplateThe first step in certificate generation and replacement is setting up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates of VMware SDDC solutions. After you create the new template, you add it to the certificate templates of the Microsoft CA. Generate MSCA-Signed Certificates for the SDDC Management Components in Region AUse the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management products with a single operation. Generate Certificate Signing Requests and Certificates from a Third-Party CA in Region AUse the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificate signing request (CSR) files that you can send to a third-party certificate authority and receive CA-signed certificates for the management components. Replace Certificates of the Virtual Infrastructure Components in Region AIn this design, you replace user-facing certificates with certificates signed by a Microsoft Certificate Authority (CA). If the CA-signed certificates of the management components expire after you deploy the SDDC, you must replace them individually on each affected component. Replace Certificates of the Operations Management Components in Region AIf the certificate of vRealize Operations Manager or vRealize Log Insight expires, replace it and update it on the management components in the region to maintain secure connection. Replace Certificates of the Cloud Management Platform Components in Region AAfter you generate signed certificates for the Cloud Management Platform, replace them and update them on the management components in the region to maintain secure connection. Replace Certificates of the Business Continuity Components in Region AIn a dual-region environment, after you generate the signed certificates for Site Recovery Manager and vSphere Replication, replace and update the certificates on the connected management components in the region to maintain secure connection.