The process is fairly trivial
BACKUP your vCenter first and I strongly advise you to power it off, take a cold snapshot then boot it back up. Powering off vCenter will not affect the running operations of your VMs
You can have the VCSA generate the CSR for you, at which point is uses an embedded private key or you can generate your own. I went to GoDaddy and created the CSR there, got the private key during the creation.
You then go to replace the cert in administration -> certificate management. Paste in the public and private key and if you need to, the intermediates as well. If there is something it does not like in the chain, it will complain.
Once you do this and it is happy with the chain, it will restart all vCenter services. vCenter will have a brief outage until evertyhing comes back up. You can login to the VAMI interface on port 5480 to monitor the services being restarted.
Confirm you can access the site without any errors, then purge your snapshot , or roll back if it blew up on you. No downtime to any f your VMs, only vCenter itself is temporarily affected.