Because I’ve had to look it up multiple times
Generate the private key
openssl genrsa -out domain.tld.key 2048
then, generate the CSR
openssl req -sha256 -new -key domain.tld.key -out domain.tld.csr
I’m certain there’s a one liner to do this, but didn’t find anything while looking (briefly).