I generated my own CA. Why do I need a CSR from some other site (e.g. facebook.com) to generate certificate for it?
CA signing a certificate is a statement like "I, owner of the private key related to public key xyz, approve this certificate as valid". Why do we need the owner of facebook.com to say "Please, owner of public key xyz, approve my certificate" (generate CSR)?
I might be missing something related to the mathematical formulas of generating certificate, but I'm not sure.
Note: this isn't about programming, and would be better suited on security.SX.
Technically, you don't. To issue an identity certificate (the only kind that is commonly used, although others exist) you need to know the identity and publickey of the party you're issuing the cert to, in this case facebook. You may need other information as well, such as the purposes for which the resulting certificate will be used, and who the reliers will be or what they will be like, which usually affects the trust and/or policy information you need to put in the cert.
The commonly used format for a certificate request aka certificate signing request or CSR defined by PKCS10 aka RFC2986 is a standardized way of representing this information, which allows entities that want certificates (called end entities or EEs) and certificate authorities (called CAs) to communicate efficently, reliably and accurately without mistakes. It has the advantage of using the same format as X.509 to represent the public key, which handles multiple algorithms and can be extended to handle new algorithms in the future without changing the standard and without changing the code handling it if properly designed. It also uses the same format for the 'distinguished name' of the entity -- although since many certs nowadays are for HTTPS or other SSL/TLS servers which use the Subject Alternative Name extension instead (containing DNS name(s) rather than X.500 Distinguished Name), that is becoming less valuable, and even in the past it needed to be vetted by the CA as accurate or at least acceptable and not misleading or deceptive.
However if you are running a CA there's no technical reason you can't accept some other form of this information. Decades ago Netscape invented SPKAC which used to be implemented by some browsers. Other forms are limited only by your imagination, and the work others will or would have to do to conform to whatever you invent -- if they have any motivation to do so, which they probably don't.
