Changing the certificate while there are users connected will disconnect them. Consider making any certificate changes in a maintenance window or when there are no users connected.

This is applicable for the intermediate CA cert as well, see: Technical Tip: Importing the intermediate CA certificate while the endpoints are connecting to the S... 

Make sure to have the SSL-VPN cert imported on the FortiGate. To import the SSL VPN certificate, refer to this article Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM)

Once imported, there are two ways to accomplish this task of SSL VPN certificate replacement.

From GUI :

1. Locate the new certificate.
   
   

2. Go to VPN settings and update the certificate. Here it is desired to replace the 'Fortinet_Factory' with 'VPN'.

From CLI :

FortiGate-61F # config vpn ssl settings

FortiGate-61F (settings) # show
config vpn ssl settings

    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 11443
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "NO-Access"
        config authentication-rule

            edit 2

                set groups "SSL-VPN"

                set portal "full-access"
            next

  end

end

FortiGate-61F (settings) # set servercert
Available Certificates:

Fortinet_Factory local
Fortinet_Factory_Backup local
Fortinet_GUI_Server local
VPN local

FortiGate-61F (settings) # set servercert VPN

FortiGate-61F (settings) # end

To know how to procure and import a signed SSL certificate, refer to this document: Procuring and importing a signed SSL certificate

Related articles:

Technical Tip: How to update a local certificate installed on a FortiGate without generating a new C...

Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM)