I'm trying to understand the proper flow for installing SSL on a server (rather a couple of servers behind an AWS load-balancer).
https://www.digicert.com/easy-csr/openssl.htm offers up a wizard. I want to confirm that I can enter the details, run the openssl command and receive two things:
domain.csr domain.key
I then use the csr to actually purchase the certificate, and use the key for signing. Is this correct? Am I missing a piece of the puzzle?
CSR stands for Certificate Signing Request, and you've pretty much got it.
The CSR is just for throwing at the Certificate Authority; it contains your public certificate, but not in a form that's useful for anything other than sending to get it signed.
They'll sign it and send back your public certificate file, which will be .pem or .crt. That will be the public certificate sent out to each client system that requests a page. It will contain the info you've defined in that page (CN and organization details) as well as the stuff that they add from the CA (where clients can get the parent cert, certificate revocation list locations, allowed usages of the certificate, etc).
The .key is the private key for the certificate, in its final form. You'll feed that to the web server as the private key, and it's used for decryption of data sent in by clients, encryption of data sent to clients, and signing of data for authentication.