Here are the instructions used to make the certs.
The private key is "privateKey.key".
The current StartSSL cert is "ssl.crt".
To create a Certificate Signing Request using the current ssl cert being used in the webserver.
openssl x509 -x509toreq -in ssl.crt -out CSR.csr -signkey privateKey.key
Look into the file CSR.csr and select only the Request like the following. Makeing sure every dash is copied. Otherwise it will cost money.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Put it into the StartSSL and get the cert.
Copy the cert into a new ssl.crt file.
Now have to create a combine file with the ssl.crt to be used in the webserver.
cat ssl.crt sub.class1.server.ca.pem ca.pem > webserver.crt
"sub.class1.server.ca.pem" and "ca.pem" are the root certs from StartSSL.
Then we need to create a combine file ssl.crt to be used with postfix.
cat ssl.crt sub.class1.server.ca.pem > smtpd.cert
Here are the links I used earlier to do research.
Here is how to encrypt a private_ssl_key.
To encrypt the key unencrypted.key and output it to encrypted.key, run this command: openssl rsa -in unencrypted.key -des3 -out encrypted.key
From completeness sake, to reverse the encryption (not sure why you would want to do that!), run this command: openssl rsa -in encrypted.key -out unencrypted.key
Got the above from,