HTTP/SSL lets encrypt, or CA either uses private/public key pair from your own server or they generate for u, browser HTTPS validation

 browser https validation:

https://www.linkedin.com/pulse/how-does-your-browser-knows-tls-certificate-presented-ehis-iribhogbe

lets encrypt how it works:

https://letsencrypt.org/how-it-works/

The official Let’s Encrypt client can either use an already-created key pair, which you can generate under any circumstances you prefer, or it can perform the generation for you, which it will do with OpenSSL, see letsencrypt/crypto_util.py 184.

*Note: generation for you meaning that it will run script to generate public/private key pairs on your server.

def make_key(bits):

    """Generate PEM encoded RSA key.

    :param int bits: Number of bits, at least 1024.

    :returns: new RSA key in PEM form with specified number of bits

    :rtype: str

    """

    assert bits >= 1024  # XXX

    key = OpenSSL.crypto.PKey()

    key.generate_key(OpenSSL.crypto.TYPE_RSA, bits)

    return OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)