It is a good idea actually.
So, when it comes to CSR, you can use this guidance: https://blogs.technet.microsoft.com/rmilne/2014/06/17/how-to-request-certificate-without-using-iis-or-exchange/
But since you will certainly need a public cert for your TLS cert, you might actually get the guidance or even a tool from your certificate provider (DigiCert, GoDaddy to name only those have a wizard that guides you through the CSR generation process).
Also, do not forget the SAN requirement: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_1
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
