For certain parts of manual certificate replacement, you must stop all services and then start only the services that manage the certificate infrastructure. If you stop services only when needed, you can minimize downtime.
Follow these rules of thumb.
Do not stop services to generate new public/private key pairs or new certificates.
If you are the only administrator, you do not have to stop services when you add a new root certificate. The old root certificate remains available, and all services can still authenticate with that certificate. Stop and immediately restart all services after you add the root certificate to avoid problems with your hosts.
If your environment includes multiple administrators, stop services before you add a new root certificate and restart services after you add a new certificate.
Stop services right before you perform these tasks:
Delete a machine SSL certificate or any solution user certificate in VECS.
Replace a solution user certificate in vmdir (VMware Directory Service).