When I purchase SSL certificates, I submit the CSR securely through the vendor's website. The vendor then emails me the certificate that I need to install on my server.
Is it safe to email the certificate like that? For example, if someone intercepted the email with my certificate, could they compromise/decrypt my SSL?
If so, what's the safest way to get the certificate from my vendor on to my server?
Yes, it's safe, because this certificate is signed by a well-known certificate authority. You, and everyone who connects to your server, can validate the certificate to get assurance that the public key belongs to you alone.
In addition, you need to protect the private key that corresponds to the public key in the certificate. You must not disclose it to anyone: you don't need to send it to the certifying authority, and you shouldn't use a private key that was generated by anyone else.
The certificate is public; when you install it, it will be sent to everyone that connects as part of the process to authenticate your server.
If you use certificates that are not signed by a trusted certificate authority (self-signed, or signed by some private partner system), you'll need a way to make sure that everyone that wants to validate your certificate has a genuine root certificate, and not one that was tampered by an attacker.