Re: the oldest bad practice in the book.
Which CAs ask for your private keys, if I may ask?
A number of CAs provide, or used to provide, "one step" certificate generation, where they generate a key pair and a DV or personal certificate[1] and send them both to the user. It's to save people the effort of learning what a CSR is, because why go to the trouble of understanding even the basic concepts of the security mechanism you're trying to use?
DigiCert appears to require a CSR even for DV certificates, which is good.
Since 2012 it's a violation of the CABF Baseline Requirements for the CA to archive the subscriber's private key (so Trustico was in violation of the CABF BR; that's just an industry agreement, but the violation may doom their business). But CAs are still allowed to generate the key pair:
Parties other than the Subscriber SHALL NOT archive the Subscriber Private Key.
If the CA or any of its designated RAs generated the Private Key on behalf of the Subscriber, then the CA SHALL encrypt the Private Key for transport to the Subscriber.
(Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0, 10.2.4)
[1] The EV certificate rules don't allow this, fortunately. It's one of those odd cases where the EV rules actually do something significant to improve security.