This guide shows you how to generate a CSR (Certificate Signing Request) on a SonicWall firewall running SonicOS. You create the request in the web management interface under Device > Settings > Certificates, fill in the subject details, choose a 2048-bit (or larger) RSA key and the SHA-256 signature algorithm, then export the request and send it to your Certificate Authority.
The private key is created at the same time and stays on the firewall as a Pending Request: it is not included when you export the CSR. The steps below match SonicOS 7.x; menu paths for SonicOS 6.5 and the legacy SMA / SSL-VPN appliances are noted where they differ.
Generate the CSR on SonicWall (SonicOS 7.x)
If you have already generated your CSR and received the signed certificate files, skip ahead to how to install an SSL certificate on SonicWall.
Step 1: Open the Certificates page
- Log in to the SonicWall web management interface as an administrator.
- Go to Device > Settings > Certificates. The page lists every certificate currently on the appliance.
- Click New Signing Request to open the Certificate dialog.
On SonicOS 6.5 in Manage view, the path is Manage > Appliance > Certificates. On legacy SMA 100 series and older SSL-VPN appliances, the path is System > Certificates and the button is labelled Generate CSR. The field names below are essentially the same across versions.
Step 2: Enter the certificate alias and subject details
In the Certificate Alias field, type a label you will recognise later on the firewall, for example your domain name plus the year. The alias is an internal name only; it does not appear in the certificate itself.
Build the Subject Distinguished Name using the drop-downs and text fields. As you fill in each component, SonicOS assembles the full DN in the Subject Distinguished Name preview field.
- Country: the two-letter ISO country code where your organisation is registered, for example US.
- State: the full name of the state or region, for example Hawaii. For a Business Validation or Extended Validation certificate, use the state your company is legally registered in.
- Locality, City, or County: the full name of the city, for example Honolulu.
- Company or Organization: the full legal name of your company, for example Your Company LLC. Leave this blank only if you are ordering a Domain Validation certificate.
- Department: optional. You can use a value like IT or Web, or leave it empty. Public CAs do not validate this field.
- Common Name: the fully qualified domain name (FQDN) you want to secure, for example vpn.example.com. For a wildcard certificate, put an asterisk in front of the domain, for example *.example.com. The Common Name should match the hostname you use to reach the firewall (admin page, SSL VPN portal, or both).
- E-Mail Address: a valid contact address at your organisation.
Step 3: Add a Subject Alternative Name (optional)
Under Subject Alternative Name, pick a type from the drop-down (Domain Name, Email Address, or IPv4 Address) and enter the value. Modern browsers validate certificates against the SAN list, not the Common Name, so the first SAN entry should match the Common Name. SonicOS allows only one SAN entry on the request itself; if your certificate must cover several hostnames, list the additional names during checkout with the CA. Most public CAs accept extra SAN entries supplied on the order form alongside the CSR.
Step 4: Choose the signature algorithm and key
- Signature Algorithm: change the default from SHA1 to SHA256 (or SHA384 / SHA512). Public CAs have rejected SHA-1 signed certificates since 2015, so a CSR signed with SHA-1 will not be issued.
- Subject Key Type: leave the default RSA. Choose ECDSA only if your CA and all clients you serve support ECDSA certificates.
- Subject Key Size/Curve: choose at least 2048 bits for RSA. The factory default is 1024, which public CAs reject; 3072 and 4096 are also accepted. For ECDSA, prime256v1 is a safe choice.
Step 5: Generate the request
Check the entries, then click Generate. SonicOS creates the CSR and its matching private key and adds a new row to the Certificates table. The new entry has the type Pending request and stays in that state until you import the signed certificate.
Export the CSR
- Find the new Pending request in the Certificates table.
- Click the Export icon next to it. SonicOS downloads a single .csr file containing the request only. The private key stays on the firewall.
On legacy SMA 100 / SSL-VPN appliances, the behaviour is different: submitting the form downloads a .zip archive that contains server.csr and server.key. Save both files together; you will need server.key when you import the issued certificate as a PKCS#12 bundle later. On SonicOS 7.x firewalls, you do not get a key file because the key never leaves the device.
Open the exported .csr file with any plain-text editor such as Notepad. The contents start with -----BEGIN CERTIFICATE REQUEST----- and end with -----END CERTIFICATE REQUEST-----. During SSL enrollment, copy the whole block, including those two header and footer lines, into the CSR field on your SSL vendor’s order page.
Check the CSR before you submit it
Before you place the order, confirm the request contains the right domain and organisation details. If you have OpenSSL on any machine, decode the exported file with:
openssl req -noout -text -in request.csr
Check that the Common Name, the SAN entries, and the organisation fields are correct, the signature algorithm is sha256 or stronger, and the key size is 2048 bits or more. If anything is wrong, generate a new CSR on the firewall rather than editing the file: any change to the text invalidates the signature. Without OpenSSL, paste the exported request into our online CSR decoder to confirm the same fields.
If you would rather prepare the request in a browser instead of in SonicOS, you can also generate a CSR with our CSR Generator. On a SonicOS 7.x firewall, generating the CSR off the appliance means you will later import the issued certificate as a PKCS#12 bundle that contains both the certificate and the matching key, rather than completing the on-device Pending request.
After the CA issues your certificate
Once the CA validates the CSR and issues your SSL certificate, return to Device > Settings > Certificates, find the same Pending request entry, and click the Upload icon next to it to attach the signed file. Do not create a new entry: SonicOS pairs the issued certificate with the matching private key only when you upload it onto the same pending row. Acceptable formats are PEM (.pem, .cer) and PKCS#7 (.p7b). The full procedure, including how to assign the certificate to the admin page and the SSL VPN portal, is in our guide on how to install an SSL certificate on SonicWall.
Frequently Asked Questions
In SonicOS 7.x, log in to the web management interface, go to Device > Settings > Certificates, and click New Signing Request. On SonicOS 6.5 in Manage view the path is Manage > Appliance > Certificates, and on legacy SMA / SSL-VPN appliances it is System > Certificates with a button labelled Generate CSR.
On SonicOS 7.x firewalls, no. The Export option only downloads the .csr file; the matching private key stays on the device as part of the Pending request entry, which is why you must upload the issued certificate back onto that same entry. On older SMA 100 / SSL-VPN appliances, generating the CSR downloads a .zip archive containing both server.csr and server.key, so keep both files together.
The SonicOS Signature Algorithm drop-down still defaults to SHA1, but every public CA stopped issuing SHA-1 signed certificates years ago. A CSR signed with SHA-1 will be rejected during enrollment. Select SHA256 (or SHA384 / SHA512) before you click Generate.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


