> Obtain a browser-trusted certificate and set it up on your web server
From the "RFC" on github:
> In the background, the web server contacts the CA and uses ACME to request that a certificate be issued for the intended domain name(s).
> Once the CA is satisfied, the certificate is issued and the web server automatically downloads and installs it, potentially notifying the operator via e-mail, SMS, etc.
This really sounds like they are generating the key pair, not just signing it. I think (hope) that's not the case, but clarity on this issue is pretty important.
They're generating the certificate, not the keys. Those are different things. You can probably think of the certificate as the computer equivalent of photo ID for the server.
They both show who you are (Driver's License: your name, cert: hostname), what you look like (DL: photo of you, cert: the key's fingerprint) and provide proof that they are genuine (DL: difficult and illegal fake, cert: practically impossible to do the math to forge a signature).
Note that they mention certificate singing requests. If the CA generated the keys, it wouldn't also need a CSR. It could just generate and send you the public and private keys and the signed certificate for them. However, it does need some information about the keys it's signing. You provide that information in the form of a CSR.
Looks to me like it generates the keys locally OR you can specify the keys if you like. But since the private key doesn't leave your server, it doesn't really matter either way.
> Obtain a browser-trusted certificate and set it up on your web server
From the "RFC" on github:
> In the background, the web server contacts the CA and uses ACME to request that a certificate be issued for the intended domain name(s).
> Once the CA is satisfied, the certificate is issued and the web server automatically downloads and installs it, potentially notifying the operator via e-mail, SMS, etc.
This really sounds like they are generating the key pair, not just signing it. I think (hope) that's not the case, but clarity on this issue is pretty important.