The production VM won't be cloned for a few days but we need the CSR file now to buy the certificate. Can I just create the private key and CSR file on my own machine, supply the CSR file to the certificate authority in order to buy the certificate, and then copy the files onto the production box when it's ready?
Or does the CSR have to be generated on the production box itself? Could differences in openssl between my machine and the production VM cause problems?
SSL keys, CSRs, and certs aren't tied to a particular machine. You can generate the key and CSR anywhere you like, then copy it into place when your production machine is ready.
You can generate the CSR on any machine you like, submit it and then re-use it.
Even the SSL certificates can be moved around from machine to machine.