How to Generate a CSR for ACM

As far as I know, you must generate the CSR in another tool like OpenSSL.

When you have multiple servers behind an AWS Load Balancer you do not need to generate a separate CSR for each EC2 instance. Instead, you should generate a single CSR, which can be done on any one of your servers or even on a local machine. Import the Certificate into AWS ACM: Once you receive the SSL certificate from your provider, import it into AWS Certificate Manager (ACM).

=== RESPONSE TO FIRST QUESTION ===

A CSR (certificate signing request) is a file containing a public key and identification details (like a form), which is submitted to a Certificate Authority. The Certificate Authority will sign the CSR which will produce the certificate.

This means you can generate a CSR using any tool available to you. For OpenSSL command, you can use the below command to generate both a private key and a CSR file:

---> openssl req -new -newkey rsa:2048 -nodes -keyout PrivateKey.key -out <CSR_Name>.csr

In the case where you already have a private key, you can use the below command to generate only a CSR file:

---> openssl req -new -key privatekey.pem -out test.csr

Once the CSR is generated, you send the CSR to your Certificate Authority. They will sign it and return the actual certificate (SSL) to you.

From here, you have two options;

1. You can either install the certificate yourself by installing it in the web server hosting your website or
2. You can import it to AWS ACM where an AWS ACM issued certificate will be given to you for your custom website. This option is best especially if you have other resources in AWS like CloudFront or ELB because you can easily associate the certificate in ACM with these resources. To import a certificate to AWS ACM, here is a documentation that highlights the step-by-step process: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html

=== RESPONSE TO SECOND QUESTION ===

As long as the information in the CSR is the same across all of your EC2 servers, you do not need to create a CSR for each EC2 servers. You just need 1.