My server environment:
I have a website call abc.com. I've created subdomain call demo using Advanced DNS Zone Editor via cPanel and it's point to my static IP 123.123.123.123
demo.abc.com => 123.123.123.123 (winbox installed)
Then I have another local tomcat server with 192.168.1.123 and I have a port forward setup 123.123.123.123:80 into 192.168.1.123
now when I type demo.abc.com it's going to execute my 192.168.1.123 hosted tomcat website.
Now I need to install SSL on the https://demo.abc.com
which server do I need to use for creating the CSR file ?
123.123.123.123 or 192.168.1.123 ?
Usually it is best to generate the CSR on the machine that will actually use the certificate - its the only machine that will hold the certificate key in any case, hence this way you are not increasing your risk of certificate compromise.
In your example, the locally-addressed server runs a publicly-accessible web server anyway, so with minimal changes, you can enable TLS.
demosubdomainHowever, I highly recommend that you read up about the more common setup anyway.
Which avoids poking through the firewall in such generic ways. Typically, you would not port-forward, but instead proxy using a common web server - in that case the certificate would go in the machine with the globally routable address, while the applications in private address space would never directly talk to clients or deal with public certificates.