For an internal API, one of the capabilities is allowing a user to deploy an internal-facing website. Normally, for these websites a cert is issued by the company CA and the user/team must generate a CSR locally and then supply it when requesting the cert manually.
When looking to automate the process, I want to know if it's possible/recommended to generate the CSR on the API server so that the user doesn't need to generate or manage any keys themselves.
In order to use a certificate for authentication one has to have a certificate which includes the public key and then the matching private key. The private key needs to be private - as the name suggest - since with this key it is possible to impersonate the identity of the certificate.
For generating a CSR one needs a private key. This means that if you create a CSR for another user, then the private key is no longer private to the user. That's why this is not recommended. It is still possible though, but to reduce exposure of the key you should then distribute the private key to the user in a secure way and make sure to securely remove any remaining copies of the private key at the CA or in communication systems (i.e. in an email) after the user has received the key.
If this is a private infrastructure where the ones managing the CA also manage the rest of the infrastructure, then they might have access to the private key no matter if the CSR was generated by the users or by the CA. In this specific situation is might be tolerable to create the CSR for other users since it does not seem to add much more risks. But while tolerable it is still not the recommended way.
And for really secure systems the private key should be created inside a hardware security module (HSM) and never be transferred out of this HSM. In this case it needs to be created by the one owning the HSM and cannot created by someone else.