Here are the instructions used to make the certs.

The private key is "privateKey.key".

The current StartSSL cert is "ssl.crt".

To create a Certificate Signing Request using the current ssl cert being used in the webserver.

openssl x509 -x509toreq -in ssl.crt -out CSR.csr -signkey privateKey.key

Look into the file CSR.csr and select only the Request like the following. Makeing sure every dash is copied. Otherwise it will cost money.

-----BEGIN CERTIFICATE REQUEST-----
cGA1UEDRMQeTELMAkGA1UE
-----END CERTIFICATE REQUEST-----

Put it into the StartSSL and get the cert.

Copy the cert into a new ssl.crt file.

Now have to create a combine file with the ssl.crt to be used in the webserver.

cat ssl.crt sub.class1.server.ca.pem ca.pem > webserver.crt

"sub.class1.server.ca.pem" and  "ca.pem" are the root certs from StartSSL.

Then we need to create a combine file ssl.crt to be used with postfix.

cat ssl.crt sub.class1.server.ca.pem > smtpd.cert

Here are the links I used earlier to do research.

https://www.startssl.com/?app=42

http://blog.sbf5.com/?p=94

http://redkestrel.co.uk/articles/openssl-commands/

Here is how to encrypt a private_ssl_key.

To encrypt the key unencrypted.key and output it to encrypted.key, run this command: openssl rsa -in unencrypted.key -des3 -out encrypted.key

From completeness sake, to reverse the encryption (not sure why you would want to do that!), run this command: openssl rsa -in encrypted.key -out unencrypted.key

Got the above from,

http://nerdboys.com/2011/02/20/how-to-encrypt-ssl-certificate-private-keys-from-the-command-line-with-openssl/2/