Alright, I need a quick sanity check.
After going through the steps in KB 2034833, I've managed to update all of my SSL certs for everything else without issue. There were no errors in generating the requests, the certs themselves, and the actual process replacing them on the SSO, inventory service, vCenter Server, web client, log browser, and orchestrator.
When I get to Update Manager, I've used the automation tool as well as the manual process. The correct certs are in the SSL directory, and there were not apparent errors when updating using both methods. Yet, after restarting the service, I can open my vSphere client and still get warnings about the certificate from my update manager server. Looking at the certificate, it appears to be a fresh SSL cert generated when the services were restarted.
I've searched high and low for any indication that there's a bug. I can't seem to find a lot of data regarding this particular issue, save for 1 communities posting that was never answered. Right now this is my only snag. We have local risk requirements that state I have to change these certs to valid CA signed ones. I would hate for us to have to uninstall update manager just because we can't get cleared for compliance.
Anyone have any insight? Suffice it to say I've followed the KB where you use the utility / update the host DNS so that you can connect to a vCenter on a different VM, as well as the automation tool. The certs are valid and I made sure they have the right flags.