Comment by Ayesh
14 hours ago
It's been a long time so this is my fading memory, but CAs used to generate a private key on their end and let you download both private key and the certificate containing the public key. The non-technical person who paid big money for the certificate then emails the zip file to the developer. That's when StartTLS wasn't that big back then either.
Just comically bad way to obtain certs.
Many CA have in browser javascript-based private key generation.
(Of course the same page have GoogleAnalytics and facebook button -- otherwise it would be too secure.)