I'd like to share my experience how the process went.
As initially stated, I needed to renew my Push Certificate within 30 days, but had renamed my Apple ID (from myname@company.com to itdepartment@company.com).
Renewing meant, re-enrolling all devices. Somebody suggested, I should upgrade to Mountain Lion Server first, THEN renew, it would be easier then (you know, click one button and BOOM, magic..).
So, the idea then was
- Perform in-place-upgrade
- re-enroll certificate after upgrade
short answer... that didn't work out.
Before upgrading, I trained on a cloned system.
In the process of the upgrade, you HAVE to enter an Apple-ID (i.e. email address) to connect to the APNS ... that means it either is exactly the one you created the Push Certificate with in the first place, or you re-enroll or your devices - Apple gives a nice warning message during the process.
OK, gnashing teeth, I renamed the Apple-ID back to the original state and tried the in-place upgrade again, this time on the production server ... what should go wrong, it worked out before on the clone (sans the certificate part) ... hhhm ... not this time. It seemed to be some problem with the Raid card. But hey, that's what Carbon Copy Cloner, psqldump and Timemachine are for, right?
Wrong.
After the restore, my production machine came up fine, everything worked - except pushing anything to my devices.
So, technically I restored OS X Lion Server to a running state AND had 3 different means of backup, just in case (CCC, Timemachine, scripted DB dumps and OD dumps) and still in the end, I had a bunch of devices that needed to be re-enrolled. Brilliant.
More gnashing teeth. Now, knowing I need to re-enroll anyway, I installed ML Server from scratch, created a new Push certificate (using itdepartment@company.com.), re-entered ALL mobile devices, policies and groups by hand (oops, Apple dropped psqldump support in ML Server, there is no database import from prior versions..FRAK) and re-enrolled all devices, happy users assured.
And now the fun part: If you sign your mobile profiles (you know, that checkbox in Server App) for extra security, you need to take care of your Code Signing Certificates validity. You can renew this easily (one click, BOOM, magic).
The Code Signing Certificate is valid for 1 year. If you renew this certificate, re-enrollment is mandatory.
DOUBLE-FRAK.
So in the end, it didn't matter at all that I renamed my Apple-ID back and forth, it didn't matter that the in-place upgrade didn't work out and I had to do a clean install, there was actually no option of pulling this stunt without re-enrolling all devices, at least when the Code signing certificate were to expire.
Please Apple, FIX this. It can not be, that I have to re-enroll all my devices EVERY YEAR. Why are your certificates only valid one year? Why can't you design a convenient mechanism to renew all certificates and push them to the devices automatically?