(I would not reuse the same SSL key on different servers, but if you would otherwise give a website a ten year self-signed certificate, well, you might as well reuse the same key for it for ten years.)

(Locally we have tended to discard the CSR once the certificate has been issued, and to generate new keys when we get new certificates.)

CSRs are generated with openssl req , which asks about all of the fields for the DN and can be fed standard input. If you are mass-generating CSRs for some reason, note that the tempting -batch option is basically useless. Rather than silently reading the CSR parameters from stdin, it reads them only from the OpenSSL configuration file.

If you are going to be generating more than a few CSRs, I would write a script to do it; among other things, it makes sure that you're consistent in your Distinguished Names (which should normally vary only in the hostname). Plus, it makes the whole process a lot less annoying.

CSRs can be examined with:

openssl req -text -noout -in WHAT.csr