I have the need to Purchase and Install SSL certificates for Mail SSL encryption on more than one cPanel account.
Currently you can only install one globally for the entire server.
Currently, if you want to use SNI for mail services on any name that is not web domain on the account (so for example, mail.example.org where an account web domain is example.org), you have to use a wildcard certificate.
Installing a certificate with a SAN of mail.example.org is not sufficient to make Exim et al to respond to an SNI request for mail.example.org. This is because the mail.example.org name does not appear in the mail SNI map.
Probably not ideal now that we have wildcard-less CAs like Let's Encrypt getting popular.
There is currently no way to persistently modify the Mail SNI map (/etc/mail_sni_map), which informs the listening services on how to negotiate SNI.
A workaround is to modify the Exim (and other service) configs to read from another database for additional SNI names. This is potentially forwards-incompatible and a pain to manage.
When installing a certificate, cPanel should read the SANs out of the certificate and install them into any relevant SNI configurations.