This procedure is for the new CACert signed certificates. Substitute the fully-qualifed domain-name of the service for service-fqdn. For example, mail.skynet.ie.
On the appropiate server:
Make sure to set the 'Common Name' to the service-fqdn. All the rest is ignored:
openssl req -nodes -days 900 -new -keyout service-fqdn.priv -out service-fqdn.csr
Paste the contents of service-fqdn.csr into the text box in CACert->Server->New
Choose class 1 root certificate and click submit
Double-check the server name, then hit submit
Paste the contents of the text box into service-fqdn.pem
cat service-fqdn.priv >> service-fqdn.pem
You can now delete the .csr and .priv files
Make sure the permissions are correct (only the appropriate daemons should be able to read the cert files)
Updating ssl cert on Ldap
Stop postfix before working on the ldap server.
Restart saslauthd afterwards, as it caches certs.