I had the certificates re-issued with a new CSR created using the current openssl 3.0.1, and the resulting certificate worked fine with Apache, Postfix, Dovecot, and MariaDB, so encryption is now secured for another year.