How does letsencrypt sign your certs without storing its private key(s) on your disk?
The same as all other good CAs. You send them a CSR which contains your public key, the domains you need and other info. They then make the cert based on that, sign it and send it back to you.
Ok, i thought that it signed it locally. Thx!