Welcome to the community @roger
If you need to use your own CSR you should review the below topic for the signatures supported.
But, certbot will create a CSR for you. You then specify the domain name(s) on the command line instead of using --csr. Such as:
sudo certbot certonly --manual --preferred-challenges dns -d *.stepahead.org.nz -d stepahead.org.nz
I added the second domain so that specific name is covered. The wildcard only covers names at the * level. You can omit the second -d if you don't use that name explicitly.