One weakness of MacOS X Server 10.4 is how it handles SSL certificates. There is virtually no documentation from Apple detailing the intricacies of creating, importing, and renewing SSL certificates. On the web you will find lots of information about creating new certificates and they all differ in their approach. In our search we found very minimal information regarding renewing certificates. Other directions were pretty vague and I think that's where a lot of confusion comes into play. I can't say that these steps will definitely work for you any better than the other directions you can find on the internet, but I can say that I have documented every step the best I can as clearly as I can.
These instructions were written as they pertain to using a 3rd party SSL company such as RapidSSL or GoDaddy. The actual CSR request will vary depending on your particular provider. But usually you copy/paste the text from the .csr file into the provider's web form, but some may have you email it to them.
These instructions were also written from the viewpoint of using the SSL certficiate only for email services. The actual use of the certificate by other services should only require a stop of the service.... import your certificate .... wait a minute or two .... point your service to the newly imported certificate and restart the service. YMMV.
Working directly on the server, login as an admin user and stay within ~/ while running these commands to make sure you don't overwrite anything in /etc/certificates/
In Terminal, generate a 1024 bit key since apparently OSX 10.4 does not like 2048 bit keys. I learned that the hard way:
openssl genrsa -des3 -out server.company.com.key 1024
Then generate the CSR:
openssl req -new -key server.company.com.key -out server.company.com.csr
Rename server.company.com.key to server.company.com.keyencrypt
Then remove the encryption password via:
openssl rsa -in server.company.com.keyencrypt -out server.company.com.key
When you get the Certificate text in email, paste the contents into a new crt file via:
MAKE SURE YOU HAVE BACKUPS of /etc/certificates/ before continuing!
In this example, this certificate is only used for mail, so you don't have to stop web services but do stop mail just to be on the safe side.
In Server Admin 10.4 -> Settings -> Certificates
Highlight the expiring certificate ... take a deep breath and make sure you made that backup ... click the "-" button to delete it.
(at this point you may want to look in Keychain Access to see that the keychain certificate in "System" for your server is also gone. It should be automatic. It will also remove the associated files from /etc/certificates/)
wait 10-15 seconds
Click on Import
For the Certificate File click on [...] and navigate to your home folder. Since the file names are invariably longer than the window can display in 10.4, you may just have to remember the alphabetic order of the associated files. Select the CRT file.
Repeat for the Private Key file.
since the password was removed from the key, the Private Key Passphrase can be ignored.
If everything has gone right, the new certificate with the new expiration date should appear in the list.
You may have to wait a couple minutes for things to happen behind the scenes before the certificate is actually available. Since the only service we use this certificate is for is Mail, start the Mail service back up again then quit Server Admin. Wait a couple minutes more before relaunching Server Admin.
Click on Mail -> Settings -> Advanced -> Security within Server Admin.
If the SSL menus still say "Custom Configuration" or anything other than the cert you just made, and the server cert wasn't listed as an option, quit Server Admin and wait a few minutes more. Hopefully it shouldn't take much longer to take effect and when you relaunched it, the correct cert should now be selected. If you created a cert by a different name than the one that you used before, then you'll still have to manually pick it from the SSL menu.
If it still isn't showing up, restart the server. If that doesn't do it... good thing you made the backup of the old certificate. To revert back to the previous cert (that hopefully hasn't expired just yet) repeat the process of deleting and importing but you may need to remember the passphrase for your original key.
Run Mail.app on client machines and do a test send & receive and make sure it works.