Some weeks ago the german low cost hoster 1blu got hacked and there was a bit of fuss later about the TLS certificates issued by 1blu. I think they reissued all of them. Since I knew that some hoster offer to generate the complete cert + key package for the customer I naively assumed that only the lazy and novice customers were the victims of that issue.
Today, while helping someone, I learned that 1blu forces you to use the key generated by them for certificates included in a virtual server bundle and probably other bundles. That makes those bundles a lot less attractive since the included certificate is not useful at all. One could of course argue that a virtual server is not trustworthy anyway, but I'd like to believe for now that it's more complicated to extract stuff from all running virtual servers compared to dumping the central database / key repository.
Maybe it's time to create a wrapper around openssl that is less opaque to novice users so we can get rid of key generation by a third party one day. In the end it's a disasterous trend that only got started because of usability issues.