I think I should mention another thing here, because it's clearly important to know if you want to answer the question how the LE client generates this cert:
The LE client regenerates the key pair every time it renewals the certificate.
That's especially important to know if you want to use HPKP.