This becomes visible when the cert is flagged to also work for mail.[domain]. postfix starts to throw warnings about a malformed BASE64 value on the domain's private cert.
It's happened enough times now for me to know what to do - which is to delete the cert in CWP Admin, re-create it, and restart httpd and postfix.
I suspect the cron-driven update of SSL certs needs a look to see why that causes problems while the manual creation does not.
Postfix warnings look like this:
May 17 13:33:34 x.x.x.x postfix/smtpd[11979]: warning: table hash:/etc/postfix/vmail_ssl.map.db: key mail.domain.com: malformed BASE64 value: /etc/pki/tls/private/domain.com.key