Looks like you haven't bought anything yet. To begin with, you generate both the key and the signature request yourself, on a trusted device. Then you send the CSR to the air seller to the certification authority, which makes a valid certificate out of it.

Bought an ssl certificate

No, nothing. The fact of paying money does not mean the fact of delivery of the goods :) CSR - certificate request file, KEY - certificate key. Now the CSR needs to be sent to the CA from which you bought it - CRT will come in response.

.key is a private key, in general, only you, as the owner of the future certificate, should generate it. A private key obtained by a third party, including a registrar, should be considered compromised and insecure.
.csr is a request for signing with a higher certificate, it contains all the data of the future certificate (domain, owner, etc.), as well as the signature of this data through the private key .key
.csr must be sent to the registrar for signature, signed by the private key of the registrar The .csr becomes your certificate .crt
Also any of these parts can be in .pem format, this is a text format which describes that it stores + the data itself (key/certificate/certificate chain) in base64.
PS I wrote everything from memory, for reliable information it is better to go to Google. But I will say one thing for sure, it must be either .crt (binary format) or it is wrapped in .pem