Comment by grey-area

Here's the current process:

Generate key, Generate CSR, Send CSR, Receive Certs from CA, Verify ownership, Install certs

Presumably their command line client creates the key, the CSR, sends the CSR, then gets back the certs (at least I'd hope so). I'd be happy to use a vetted command line utility which did that, or even just parts of that process, if I were sure the private key were not transmitted. It's just automating stuff which with current CAs needs to be done manually.