bg-tutorials

How to Generate a CSR on Kemp LoadMaster

This guide shows you how to generate a CSR (Certificate Signing Request) on a Kemp LoadMaster. You create the request in the LoadMaster WUI under Certificates & Security > Generate CSR, name the private key, fill in your organization details, then copy the CSR text and send it to your Certificate Authority. The private key is generated at the same time and stays on the LoadMaster, paired with the name you chose, so the signed certificate must be imported back into the same appliance to match it.

Note: Kemp was acquired by Progress Software in November 2021, and the product is officially branded Progress Kemp LoadMaster. The on-device firmware is called LMOS (LoadMaster Operating System), with current builds on the 7.2.x branch. The name “Kemp LoadMaster” is still widely used by administrators and in third-party documentation, so this guide uses both interchangeably.

Generate the CSR on Kemp LoadMaster

If you have already generated your CSR and received the signed files from the CA, skip this section and go straight to how to install an SSL certificate on Kemp LoadMaster. Otherwise, follow the steps below. The menu paths and field labels match current LMOS 7.2.x builds.

Step 1: Open the Generate CSR screen

  • Log in to your LoadMaster Web User Interface (WUI) with an account that has certificate management rights, such as the built-in bal administrator.
  • In the main menu, expand Certificates & Security and open Generate CSR. The Generate Certificate Signing Request form opens.
  • In the Private Key Identifier field, enter a friendly name for the key, for example yourdomain-2026. This label is how the LoadMaster keeps the private key paired with the future signed certificate, so use something you will recognize later.

Step 2: Fill in the form

Complete every field. Public Certificate Authorities require all of the location and organization values for Organization Validated (OV) and Extended Validation (EV) products; Domain Validated (DV) certificates use them too, even though some are not printed in the issued certificate.

  • 2 Letter Country Code: the ISO 3166-1 alpha-2 code for the country where your organization is registered, for example US for the United States or DE for Germany. See the full list of country codes if you are unsure.
  • State/Province (Entire Name – New York, not NY): the full name of the state, province, or region, for example Arizona, not the abbreviation.
  • City: the full name of the city where your organization is officially located, for example Phoenix.
  • Company: the full legal name of the company that owns the domain, exactly as it appears in your business registration, for example Your Company LLC. CAs reject mismatches between this field and the verified business name for OV and EV certificates.
  • Organization: this field is the Organizational Unit (department), for example IT or Marketing. Public CAs no longer include the OU field in issued certificates, so leave it blank or enter a generic department name.
  • Common Name: the fully qualified domain name (FQDN) you want to secure, for example www.yourdomain.com. For a wildcard certificate, put an asterisk in front of the apex, for example *.yourdomain.com.
  • Email Address: an administrative contact email at your organization. Some CAs use it for validation correspondence; otherwise it is informational only.
  • SAN/UCC Names: list every additional hostname the certificate must cover, separated by spaces or commas, for example yourdomain.com mail.yourdomain.com. Public CAs validate and present certificates based on the SAN list rather than the Common Name, so repeat the Common Name value here as well.
  • Generate Elliptical Curve Request: tick this box only if you want an ECDSA (P-256) key and your CA and clients support it. Leave it unchecked for the standard RSA 2048-bit key, which is the broadest fit.

LoadMaster signs the request with SHA-256 by default, which meets every current public CA’s minimum digest requirement.

Step 3: Create the CSR

Double-check every field, especially the Common Name and SAN list, then click Create CSR. The LoadMaster generates the key pair on the appliance and displays the CSR text on screen, between the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– markers. The private key stays on the LoadMaster, keyed by the Private Key Identifier you chose in Step 1.

Copy and submit the CSR

The text the LoadMaster shows looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC...your encoded request...AB==
-----END CERTIFICATE REQUEST-----

Select the whole block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines and every character between them. Each marker uses five hyphens on each side, with no spaces. Copy the block and paste it into the CSR field on your SSL vendor’s order page. If you want to keep a local copy, paste the same text into a plain-text editor (Notepad, TextEdit in plain-text mode, or any code editor) and save it as a .csr or .txt file.

Do not delete the matching entry from SSL Certificates while you wait for the signed certificate to come back. The LoadMaster needs the stored private key to pair with the issued certificate at import time.

Check the CSR before you submit it

It is worth confirming the request contains the right domain and organization details before placing the order. Paste the CSR text into our online CSR decoder to see the Common Name, SAN entries, key size, signature algorithm, and organization values the LoadMaster wrote into the request. If anything is wrong, generate a new CSR on the LoadMaster rather than editing the file: any change to the text invalidates the signature.

If you would rather prepare the request in a browser, you can also build one with our online CSR Generator. Note that the generator creates the private key in your browser, so save the key yourself and combine it with the issued certificate into a .pfx file before importing to the LoadMaster (LoadMaster accepts PEM and PFX).

After the CA issues your certificate

Once the CA validates the request, it emails you the signed certificate and its intermediate (CA) chain, usually in a ZIP archive. Download and extract the archive on your computer, then go back to the LoadMaster WUI:

  • Open Certificates & Security > SSL Certificates and use Import Certificate to upload the signed certificate. Enter the same Certificate Identifier you used as the Private Key Identifier when you generated the CSR. The LoadMaster pairs the imported certificate with the stored private key by that name, so no separate key file is needed.
  • Add the intermediate (CA bundle) under Certificates & Security > Intermediate Certs so the LoadMaster can serve the complete chain. If the CA returned a single .pfx file that already includes the chain, you can import that directly instead and skip the separate intermediate step.
  • Assign the certificate to your Virtual Service in the certificate’s Assignment section: move the service from Available VSs to the assigned box with the right-arrow button, then click Save Changes. A certificate that is imported but not assigned is stored on the LoadMaster but does not serve traffic, which is the most common reason a freshly installed certificate appears to do nothing.

The full procedure, including SSL Acceleration on the Virtual Service, is in our guide on how to install an SSL certificate on Kemp LoadMaster.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.