I recently went to renew a code signing certificate. In preparation I went through our usual process (as for web server certificates) of creating a key pair and a CSR with OpenSSL. When I then went through the renewal process, I was not give a chance to upload the CSR.
Instead, after the CA had validated my identity, I received a custom link. When I followed it, apparently a key pair was generated by my browser and automatically imported into my Mac's keychain. I did not even know this was possible before. The matching certificate was placed in the Downloads folder.
It is company policy here that private keys are created and managed by us. While I have not reason to suspect the CA does anything fishy, I still don't like that I can't really verify where the key came from.
An explanation of what I am missing here would be much appreciated; the CA's chat support was not able to explain it.
Edit: I have since read more through DigiCert's documentation and learned that if you chose "Sun Java" as your platform, I can actually provide a CSR and afterwards download the certificate as usual. Still would like to know if there is a particular reason for this and how it actually works.