Ah, Windows Server with IIS, totally not in my ball park to be honest. No experience what so ever.
Therefore, I don't know if the use of a CSR is actually mandatory in this specific situation. It might be possible to install a certificate with the private key too, without using a CSR. However, as your specific situation mandates a manual process anyway, using a CSR is also an option.
If the CSR was generated on that specific server and the corresponding private key is also only on that specific server, then yes. A CSR is technically only coupled to the private key it was generated with.
In any case, the certbot documentation only mentions "CSR" a few times:
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
(…)
--cert-path CERT_PATH
Path to where certificate is saved (with auth --csr),
installed from, or revoked. (default: None)
(…)
--csr CSR
Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
'certonly' subcommand. (default: None)
There's no mention what other options are used or ignored unfortunately. My assumption is that certbot just takes the hostnames from the CSR, probably including your third domain and ignores the -d
options.