Nobody needs to touch your server for this. Internet domain name records are public information and they just verify your the real owner/administrator of the domain the encryption keys are for. They don't need access to your servers to do that. For most keys they just send a verification email to the registered owner of the domain name to verify you. They also only need your Public key, not your Private key. Without the Private key someone can't decrypt stuff encrypted with your Public key. Hopefully someone isn't paying you to manage a server if you don't know how SSL/TLS keys are setup.
On your computer/server you generate a Private RSA key. Then you generate a certificate signing request for the Private key. You send the CSR to the certificate authority you are using. Then they verify the information in the CSR like your domain name and that your authorized to issue it. Then they digitally sign your Public certificate with their Private certificate and send you the signed Public certificate. Then you simply setup your web server to use SSL/TLS with your Private Certificate and your signed Public Certificate. Then you just setup your server with your Private Certificate and your Public Certificate signed by the CA. If the CA is one of the trusted Root CAs your browser uses, then it will work normally without warning you.
With RSA you have a Public and a Private key. Anything encrypted with the Public key can only be decrypted with its Private key. Anything digitally signed with the Private key can be verified with its Public key. Certificate Authorities are like a public notary, they use their Private key to sign a websites Public key after verifying who they are. Computers have a database of the Public keys for trusted CAs. When you connect to a secure website they send you their public key and then you send them another temporary encryption key for just this session encrypted with the public key they sent you, because only the site has their private key, only the site can decrypt the session key you sent them to start the connection. You would verify you got the real sites public key and not someone hijacking the connection because it would be signed by a trusted CAs private key, so you use your database with the public keys of trusted CAs and check that the signature is valid. Without trusted CAs it would be like without trusted public notaries, you would have to personally verify the peoples identities and then have them verify the correct encryption keys. I suppose you could have sites like FaceBook, Google, and others call, fax, or mail you their public encryption keys so you can verify the connection but that would be much more time consuming then just having the site pay a company to verify them for you.
Biting the hand that feeds IT
