I'm trying to get a client identity cert ("SSL Client"/"TLS Web client authentication") from a public CA for use with an API I am building. All the CAs I have looked at seem to assume that when someone wants a client identity cert, they want it for email signing/encryption and by extension, they want to generate the private key (typically using a browser call to the Windows CryptoAPI service — not that the CA is directly creating and seeing the private key) at the same time as issuing a signed public cert. I get how this process might make sense for a S/MIME cert, but for a service account that needs a client identity cert, I want to generate the key directly in my application, and then simply supply a csr to the CA to get a signed public cert back. It doesn't seem like I should have to allow the CA to generate my private key for a client identity cert.
Is this behavior typical for popular public CAs? Is there one that will let me submit a CSR and get back a signed certificate with the Key Usage/Extended Key Usage values appropriate for a TLS Web client authentication certificate?