The encryption parameter for the openssl genrsa used to specify which algorithm should be used to encrypt your private key (using the password you provided).
CSR (Certificate Signing Request) includes your public key and additional additional information that must be included in the certificate. CSR never includes a private key.
Thus, the choice of private key encryption algorithm is not completely related to CSR. Choose whatever you want. AES and Triple-DES ( -des3 ) -des3 should be preferred; plain DES is generally considered unsafe these days. Also see why AES is safer than DES . But I think that the choice of algorithm in this particular case is not as important as using a strong password and protecting it.
Note. Remember that if you protect your private key with a password, you will be asked to enter a password each time you want to access the private key, for example, when starting a web server. If you forget the password, your private key will actually be lost, and you must create a new key and request a new certificate. You can generate the private key without encryption (without password): openssl genrsa -out filename.key 2048 . You can also remove the password (effectively, keep it unencrypted) at any time using the command as follows: openssl rsa -in encrypted.key -out unencrypted.key . You will need a password for this (you will be asked to enter it).