I just opened a case with VMware and see how far I will go
You can replace the certs in VCSA so you don't get a certificate warning when you connect via vSphere client / web client, but you can't replace the cert in ESXi host. And really, you don't need to finish all the steps in KB2036744 to get the front end to report a signed certificate chain - I really didn't care for the internal certs used by SSO / Inventory Service / VAMI, etc - I only cared about the front end, and that means vSphere Web Client / vSphere Client against the VCSA, and the ESXi host. The last item is not working.
Basically the minute you successfully complete "vpxd_servicecfg certificate change", the vCenter front end should already reporting the new certs to the client / browser - the rest of it I really didn't care for (not to mention that they all had to have different subject names because they gets registered into SSO). Even the first few steps of KB2036744 I have opinions about their correctness (why stick the whole cert chain as a file into /etc/ssl/certs and symlink to the hash, when each root CA and intermediate CA cert should be in its own file and symlinked separately)