I eventually found solution

Set  "Toggle certificate setting" to ON from web UI or by creating file:

vcenter:~ # touch /etc/vmware-vpx/ssl/allow_regeneration

Stop all vmware-* services except vmware tools or switch to runlevel 2:

vcenter:~ # init 2

This will trigger same bash function that creates certificates on reboot with "Toggle certificate setting" ON:

vcenter:~ # source vpxd_commonutils; regenerate_certificates

script checks if existing certificate is self signed and if you have different hostname than specified in cert.

If you want to regenerate certificates without checking:

vcenter:~ # source vpxd_commonutils; generate_all_certificates replace

scripts MUST end with VC_CFG_RESULT=0, if not, check if vmware services are stopped

Set  "Toggle certificate setting" to OFF or:

vcenter:~ # rm /etc/vmware-vpx/ssl/allow_regeneration

vcenter:~ # reboot

It's not necessary to boot from a LiveCD or linux rescue disc.

When the appliance starts, the GRUB boot loader shows briefly.

• When it appears, hit the up or down arrow to stop the boot countdown clock (which is only like 2 seconds).
• Following the instructions at the bottom of the screen, hit "p" to enter the unlock password (which is the root password).  This will allow you to change the boot-time string.
• Highlight "VMWare vCenter Server Appliance" and press "e" to edit the boot settings.
• Highlight the "Kernel..." line and press "e" to edit the boot string.
• Append a "1" to the end so that it looks like this: "...showopts 1" (minus the quotation marks)
• Press enter, and then "b" to boot.

This will cause the appliance to boot in init level 1 (or single-user maintenance mode).  From here, the root password will get you into the console where you can delete /etc/vmware-vpx/ssl/allow_regeneration.  Reboot the server when you're done with "shutdown -r now".  It shouldn't be necessary to go back into GRUB to remove the "1" you added earlier.