I remember it was to somewhat confirm client did have control of private key part of cert requested:
otherwise you can put about any public key over API:
like eve taking down any site by ask a cert A with same public key with target site - revoke A as key compromised as owner - server process to revoke all certs with same (insisted compromised) public key, bringing down target site
although LE patched to you need sign a cert with its private key , that was the reason to use csr - and CSR as there are embedded thing that through out CSR so LE can be used on them.
4 Likes