You need a private key, plain and simple. Otherwise, what are you going
to sign it with? The signature field of an X.509 cert is mandatory.
I mean, if all you want is a public key, you don't need to bother with
the X.509 overhead. You can just pony up a public key that looks like
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
But X.509 is more than just a public key - it's a signed public key.
Technically, a CSR is, too, but CSR's are always self-signed whereas X.509
certs can be signed by anyone.