Many CA have in browser javascript-based private key generation.

(Of course the same page have GoogleAnalytics and facebook button -- otherwise it would be too secure.)