Must CSRs be generated on the server that will host the SSL certificate?
Is it necessary to generate the CSR (Certificate Signing Request) on the same machine that will host my web application and SSL certificate?
This page on SSL Shopper says so, but I'm not sure if that's true, because it would mean I'd have to buy a separate SSL certificate for each server in my cluster.
What is a CSR? A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on.
No. It is not necessary to generate the CSR on the machine that you want to host the resulting certificate on. The CSR does need to be generated either using the existing private key that the certificate will be eventually paired with or its matching private key is generated as part of the CSR creation process.
What's important is not so much the originating host but that the private key and resulting public key are a matching pair.
kce is dead right, it absolutely does not need to be done on the same machine, but it does need to be done from the relevant private key.
The only reason I'm posting a second answer is because no one has said why you might want to do such a thing. Nearly every key/CSR set that I generate is done from my laptop or desktop, then the key is securely copied onto the server where the certificate will be installed, and the CSR is sent off to the signing agency. The reason is entropy: SSL certificates are generally used to secure servers, and servers often have very shallow entropy pools, which either weakens keypairs they create or makes creation take a long time. Desktops, on the other hand, have a useful source of randomness connected via keyboard/mouse cables, and thus tend to have deep entropy pools. They therefore make much better platforms for operations that require high-quality random numbers, keypair generation being one such purpose.
So not only can the key/CSR be generated off-server, but I find there is frequently a good reason to do so.