Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
I mean, we trust Root Certification Authorities, which are basically self-proclamed-as-trusted entities. At least CF became widespread and is community-trusted :)
Good point. Who’s to say that LetsEncrypt doesn’t keep a copy of my private keys?
A certificate authority doesn’t have a copy of your private key, you send them a certificate signing request. The private key never leaves your system. That’s the whole point of public key encryption.
Because that’s not how certificates work?
Your private key is never sent to the CA with you submit a Certificate Signing Request, only the public key and a bunch of metadata.
(The exception being code signing certs that are delivered on an HSM but the key never leaves the HSM)