No, the CSR does not have to be kept secret as it has no value other then getting your SSL Certificate generated, and does not contain any encryption keys. We do advise you don’t post it anywhere you would not want people to see what you’re doing as they will have access to the information you input into the CSR.
When you generate your CSR you will be generating your Private Key at the same time. This Private Key is what you need to keep a secret.