Shared hosts don't do that. dedicated and managed servers (cloud, fractional, vps, etc) do that. At best, shared hosts will integrate with LetsEncrypt or other CA's to have an automated process.
You explained answering a challenge, which can be a simple file or even DNS (and not involve the hosting service at all).
The issue is in inserting a ssl certificate.
Apache and nginx both require server restarts for an SSL certificate change (unless you do dynamic certs per domain with openresty's nginx variant, but that is a different story). These companies can host hundreds of customers on a single server -- so a restart for one domain can impact many.
A shared hosting provider would essentially need to give every user on the machine the ability to restart the webserver in order to install/update a SSL certificate for a domain. That is somewhat possible on nginx based installations, where each domain/account might run a dedicated version of nginx because of their memory imprint (EngineYard did that at first, but they are not a shared host -- they're PAAS). But shared hosts tend to be apache based companies who use mod_php + virtualhosts and do not offer sandboxed accounts. An invalid certificate pair can keep a system from functioning correctly, or even keep it from restarting at all. The amount of engineering needed to ensure proper testing, handle issues, protect against race conditions by competing users, etc is fairly large. Shared Hosting is a fairly low margin "budget" product too -- so stuff like this isn't a priority.
Technologically, sure... anything is possible. It's just not probable. I've only seen a few companies in 20+ years offer "bring your own ssl" to shared plans. Most charge to audit+update the certificate into their system, but a few offer control panels that generate the PKEY+CSR and require you to pass in that key .
Realistically, Shared Hosting providers fall into 2 categories of business: those who are partnering with LetsEncrypt and automating API access (or considering it), and people who are not interested in building out a "bring your own" SSL certificate infrastructure for their lowest margin product or have an internal SSL service that competes with LE.