Ah, I guess the point I'm missing is that with a 'serverless' setup, the cloud provider must have access to your private key? Unless you use some sort of key server setup (what they call Keyless SSL)