If you are using the Server Admin GUI to update/replace an expiring certificate (say, from Verisign) with a newer one that has the same hostname/common name, here is tip so you don’t get stumped:
When looking to replace/update a certificate, you’ll need to delete the existing certificate before importing the newer one (using Server Admin is fine for that).
If you attempt to import the newer certificate an incorrect error dialog appears saying that the certificate data/passphrase may be wrong and to double check it.
The error dialog is wrong.
It should alert you that a certificate with the same hostname/common name already exists on the server and you’ll need to remove it before importing the current one (yes, bugs have been filed with Apple already).
The only tip off as to the real issue is in the system.log which reports an error from the server manager deamon stating a certificate with the same identity already exists.