There is currently no way to replace a self-signed certificate because it is pinned by all the clients who ever connected.

To go to a CA-signed certificate you need to also change your DNS name so that your server will have a new identity.

About a day ago I did this with one of my electrum servers, and though it is taking connections, the traffic is much lower than it used to be. This is partly because Electrum clients prior to 2.0 cannot connect at all with a CA-signed certificate, but mostly because it takes a while for everyone to discover the new server.

BTW, I got my cert from StartSSL and to make it work I had to append the intermediate CA bundle to the end of my .crt file.