My understanding is that StartSSL will, by default, generate a TLS/SSL private key and public certificate pair for you server side. One can manually override by creating a private key locally and uploading a CSR.
The site authentication private key and the S/MIME private key, however, are always generated in the user's browser.
From my experience (on OS X), if you want maximum flexibility for selecting your S/MIME key size, the browser you should use is the last pre-Chromium release of Opera. It allowed me to select 4096-bit RSA private key and SHA-256 hash algorithm, whereas Firefox, Safari, and Chrome have no option greater than 2048 bits.
The site authentication private key and the S/MIME private key, however, are always generated in the user's browser.
From my experience (on OS X), if you want maximum flexibility for selecting your S/MIME key size, the browser you should use is the last pre-Chromium release of Opera. It allowed me to select 4096-bit RSA private key and SHA-256 hash algorithm, whereas Firefox, Safari, and Chrome have no option greater than 2048 bits.