The CA.pl example script coming with OpenSSL has a couple of nice features (among lots of exceedingly ugly ones), namely -signcert: that one, slightly adjusted to eat real input files instead of this silly newcert.pem foolishness, can convert an existing cert into a req and does sign that afterwards.
Sweet. That allows me to quickly fix my "365 days only" blunder for my personal certs (used for email mostly): use old cert, old key, run CA.pl -signcert with a nice, 10 year validity and presto, new cert. (Even better would have been had I found out about that before I had replaced the CA cert - also too shortlived - with a completely new one...sigh.)
Don't forget to copy cert and key to the proper location (usually /etc/ssl/{certs,private}) and check that annoying symlink from keyid.0 to the cert. Fortunately it's the key id, not anything associated with the cert, so you don't have to redo this when your cert is redone. (I always forget how to produce the friggin hash: openssl x509 -hash -noout < cert is the necessary magic, or use c_rehash.)
stunnel expects both key and cert (PEM format) in a single file, and cat is your friend.
How am I using this stuff?
The CA cert is installed on my servers and clients, known as trustworthy signer to the applications I use with SSL: sendmail and fetchmail.
The sendmail on the client presents its cert in the TLS startup, and on the server side I've got this in /etc/mail/access:
CertIssuer:/C=AT/O=snafu.priv.at/CN=snafu+20CA RELAY
That takes care of outbound email.
fetchmail on the client runs with
--sslcertck --sslcertpath /etc/ssl/certs/ --ssl
and against the FQDN servername (as in the cert). Thus fetchmail requires a server cert signed by a locally known good signer.
On the IMAP server I'm running stunnel with
-A /etc/ssl/certs/snafuCA.cert.pem -p /etc/ssl/certs/stunnel.pem
which makes it present its cert and the CA cert, so everything fits together.