kce is dead right, it absolutely does not need to be done on the same machine, but it does need to be done from the relevant private key.
The only reason I'm posting a second answer is because no one has said why you might want to do such a thing. Nearly every key/CSR set that I generate is done from my laptop or desktop, then the key is securely copied onto the server where the certificate will be installed, and the CSR is sent off to the signing agency. The reason is entropy: SSL certificates are generally used to secure servers, and servers often have very shallow entropy pools, which either weakens keypairs they create or makes creation take a long time. Desktops, on the other hand, have a useful source of randomness connected via keyboard/mouse cables, and thus tend to have deep entropy pools. They therefore make much better platforms for operations that require high-quality random numbers, keypair generation being one such purpose.
So not only can the key/CSR be generated off-server, but I find there is frequently a good reason to do so.