Ok thanks. So my understanding of CSR, KEY and CERT seems correct. And I found the cause of my issue: the CSR did not match the KEY.
On to the next area of concern, my design was to reuse the CSR. Rationale was to avoid having to update the KEYs.
Is this bad practice?