I've seen other threads related to 5.1 and failing to replace SSL certs on vCenter Server, but I'm not able to use any of those solutions to fix my problem.
This is a 2008R2 host that originally had 5.1 on it; that was a clean install, not an upgrade from 5.0 or earlier.
The CAT (Certificate Automation Tool) is able to cleanly replace & update trusts for SSO and the Inventory Service, but fails when trying to update vCenter Server. The failure appears similar to other problems posted--the symptom is a log entry that indicates there may be multiple certs, services or entries making things non-unique--but I've been able to validate that one (and only one) entry for vCenter Server exists, that everything is matching from a certificate perspective, and that the new certificates have the right attributes, key sizes, etc.
The one thing that is clear in this environment is the failed result from invoking the reloadSslCertificate method in the MOB (https://vcenter/mob/?moid=vpxd-securitymanager&vmodl=1) even before trying to do any certificate updates. The result reason for the failure is "data buffer too large". Not a lot more information is available in vpxd.log.