@serverco, I think it’s clear that people working on the Let’s Encrypt project disfavor key-generation-as-a-service and recommend that client developers not use this model. But if I remember correctly from the earlier thread, we haven’t had a formal statement about whether the key-generation service, separate from a hosting service, could be considered “an unauthorized person” for subscriber agreement purposes. (edit) So, I just want to point out that this might be a policy issue, but hasn’t been resolved yet.