To authenticate on startssl.com to get the ball rolling, you will need to have the correct authentication certificate installed in your browser. This can be seen within the ‘certificates’ section of the browser. Once you have this file, store it somewhere safe (like lastpass for example) as you’re buggered without it.
Generating a new one can be done by following the certificate wizard, generating the key and csr via openssl. create a new PKCS#12 file by selecting that option in the toolbox, providing both the key and csr and then the password used when generating it.
If you need to renew certificates, first follow through the domain and email validation steps. This is required before you can do anything else.
Once that’s done, use the Certificate wizard to generate the new certificates. Choose ‘Generated by myself’ for the CSR section and use openssl to generate your CSR and KEY. Then replace the existing certificates within NGINX as required. The .key file will be the same one you used to generate the CSR file on the server and the CRT file is that downloaded from startssl