Flow for purchasing an SSL Certificate
Solution 1:
CSR stands for Certificate Signing Request, and you've pretty much got it.
The CSR is just for throwing at the Certificate Authority; it contains your public certificate, but not in a form that's useful for anything other than sending to get it signed.
They'll sign it and send back your public certificate file, which will be .pem or .crt. That will be the public certificate sent out to each client system that requests a page. It will contain the info you've defined in that page (CN and organization details) as well as the stuff that they add from the CA (where clients can get the parent cert, certificate revocation list locations, allowed usages of the certificate, etc).
The .key is the private key for the certificate, in its final form. You'll feed that to the web server as the private key, and it's used for decryption of data sent in by clients, encryption of data sent to clients, and signing of data for authentication.