Jamf Connect and Self Service+ do not send user secrets to any service. The private key that generates your certificate signing request (CSR) never leaves the keychain. The process is only completed within Jamf Connect or Self Service+ using Apple-provided SecKeychain and SecCertificate API calls.
Note: Private keys are marked as non-exportable by default; however, you can use a preference key to change this setting.
When sending the CSR to a Windows certificate authority (CA), Kerberos authentication is used, and the CSR is sent via SSL. The resulting signed public key is retrieved using Kerberos and SSL and then matched with the private key in the keychain.