Create the Key with a passphrase
openssl genrsa -des3 -out server.key 2048
Now create the insecure key, the one without a passphrase, and shuffle the key names:
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
Make the CSR
openssl req -new -key server.key -out server.csr
https://help.ubuntu.com/10.10/serverguide/C/certificates-and-security.html