@Ersatz, there are several web-based clients now. The list of clients thread mentions
http://certificateautomation.com/
https://gethttpsforfree.com/
As I recall, the latter two do private key generation in the browser, while the former does it online. This was already debated at
As you can see in that thread, a number of people were quite uncomfortable with the server-side key generation and saw it as inappropriate. (I definitely agree that it's not a good idea.)
Of course, no one can make you use or endorse any web-based client. A possible area for ongoing discussion is whether server-side key generation is a scary enough practice that it should be against the CA's terms of service. In that case it might be necessary to find a way to draw the definitional line between using a key-generation service and hiring an IT contractor to generate the private key on the contractor's laptop, where there's no straightforward way of proving that the contractor deleted all the copies of the private key after generating it.
Almost all hosting environments require trusting someone with access to the private key, for example because they can peek inside your VM image or tamper with your physical hardware's memory or boot sequence. A best practice is to minimize the number of entities that have to be trusted with key access (and maybe different virtualization technologies will make it somewhat safer in the future).