In my lab I made the mistake of trying to swap out the embedded deployment VCSA 6.5 cert using the /psc interface without a snapshot
It didn't take long to swap, and I assumed that something went wrong, because I knew that more recent versions automatically run update_ls_certs.py (or equivalent).
Upon a reboot, the vSphere Web Client wouldn't load, so I used the certificate manager tool to re-generate the SSL cert from the VMCA, then later from Let's Encrypt (this time using the shell script rather than /psc interface)
NSX Manager was of course annoyed because the sslTrust attributes in the MOB weren't updated.
Current state - some sslTrust values have the current cert, others have the original VMCA cert from my June 2nd installation, and running ls_update_certs on the 6/2 cert's thumbprint (from the MOB) updates 0 services.