>> 1. Do I need a separate SSL certificate for each customer server
yes. Specifically you need a separate SSL certificate for each domain name. Which implies that they will need their own domain. (For intranet apps this gets icky)
>> 2. I know that SSL certificates have a limited lifetime. What happens if a certificate runs out regarding the workability of the webserver ?
users browsing to the site will get all kinds of scary warnings (at best) or their browser may refuse to access the site at all.
>> Do I need only to copy the renewed certificate files into the appropriate folder and replace the old ones ?
yes.
>> 3. TLS Version 1.2 with AES256 is the best regarding security !? Can I force NT to use it ?
I haven't explicitly explored this as an option, but I believe OpenSSL (which is the SSL we use) has "partial" support for TLS 1.2. The "partial" meaning that the Suite B of ciphers is not yet supported. You can specify the SSL or TLS level, so I'm guessing fixing it to TLS1.2 should not be too hard.
>> 4. Any ideas for the most secure Login mechanism for the users of my customers (users and passwords stored in the DB of each customer) ?
for starters you don't store the Password at all. What you do is
a) add a "Salt" field, which is a non-secret, random string field for each user.
b) create a HASH (Sha-256) of the Salt & Password and store this in the database.
c) when the user logs in, calculate a HASH of the Salt & WhatTheyTypedIn and see if the two hashes match.
This is considered to be a best-practice - in the event of the data being compromised actual passwords are not exposed.
Cheers
Bruce