How proof of possession works for e.g. Cloudflare free SSL

CloudFlare free SSL works by generating keypair and issuing a certificate at there servers. They keep the private key at CloudFlare themselves and the domain owner won’t see it. But ACME specification says that if there’s any certificate for that domain, the domain owner must sign the proof of possession using it’s private key. So, how can the domain owner validate the domain in this case?

1 Like

probably this applies only to LE certs, I have a running HTTPS from StartSSL and CACert (I have 2 domains and one of them isnt liked by SSSL) and didnt need to prove anything, except for the webroot stuff because of manual validation…