OK, easy indeed:

openssl req -new -key ssl-cert-snakeoil.key -out ssl-cert-snakeoil.csr

Again, I’ve used the primary key generated by dovecot to generate the Certificate Signing Request. Copy-paste into cacert.org, wait, copy-paste from cacert.org into new .cert file on the server and tell dovecot to use this new certificate (easily done from webmin.)

UPDATE: using a private key that you did not yourself create is not secure. Check this post on how to create your own keys.