bg-tutorials

How to Generate CSR on Zyxel Zywall USG

This guide shows you how to generate a CSR (Certificate Signing Request) on a Zyxel ZyWALL/USG firewall from the web configurator. The same procedure works on the classic ZyWALL and USG line (USG 20, 40, 60, 110, 210, 310, 1100) and on the current USG Flex, ATP, and VPN series running ZLD firmware, since they share the same Configuration > Object > Certificate screens. The newer USG Flex H series runs Zyxel’s uOS firmware instead, and uses a slightly different path (System > Certificate > My Certificates); the field set and overall workflow are otherwise the same.

A CSR is a small block of encoded text that holds your domain, organization details, and public key. You hand it to a Certificate Authority (CA), the CA signs it, and the signed certificate comes back ready to install.

Before you start

Have these details ready, because the form asks for them in one shot:

  • The fully qualified domain name (FQDN) you want the certificate to cover, for example vpn.example.com, fw.example.com, or the public hostname users hit when they reach the SSL VPN portal or the HTTPS admin page.
  • Your organization’s legal name exactly as it appears on the entity’s registration (required by every public CA).
  • Your country, state/province, and city. The two-letter country code is required; state and city are required for OV and EV certificates.
  • Admin access to the firewall web configurator.

Two ways to get a CSR for your Zyxel firewall

Decide upfront where the private key should live. The choice affects how you install the issued certificate later.

  • On the firewall (recommended). Generate the CSR in Configuration > Object > Certificate > My Certificates. The private key is created and stored inside the device and never leaves it. When the CA returns the signed certificate, you import it back into the same pending entry, which pairs it with the key automatically. This is the procedure described below.
  • Off-device. Generate the CSR and private key on a separate machine with our CSR Generator or with OpenSSL. After issuance, bundle the certificate, the CA chain, and the private key into a single PKCS#12 file (.p12 / .pfx) and import that into the firewall. Use this path when you need to deploy the same certificate to multiple appliances or when you already keep keys in a central store.

Generate a CSR on Zyxel ZyWALL/USG

If you have already generated your CSR off-device with our CSR Generator or OpenSSL, skip ahead to how to install an SSL certificate on Zyxel ZyWALL/USG.

Step 1: Log in to the Zyxel web configurator

Open a browser, go to the firewall’s management address (for example https://192.168.1.1), and sign in with an administrator account.

Step 2: Open My Certificates

In the left menu, go to Configuration > Object > Certificate > My Certificates. On classic ZyWALL/USG models the menu may shorten to Object > Certificate > My Certificates; on USG Flex, ATP, and VPN models the full path uses the Configuration prefix. On the newer USG Flex H series (uOS firmware), the equivalent screen is System > Certificate > My Certificates.

Step 3: Add a new certificate entry

Click Add above the certificate list. The My Certificates Add dialog opens with a single long form. Fill it in as follows:

  • Name: a label that identifies this certificate inside the device, for example vpn-example-com-2026. It is internal only and does not appear in the issued certificate.
  • Subject Information > Common Name: select Host Domain Name and enter the FQDN the certificate must protect (for example vpn.example.com). Pick Host IP Address only for an internal device reached purely by IP, since public CAs do not issue certificates to raw IPs.
  • Organizational Unit: leave blank. Public CAs no longer include the OU field in publicly trusted certificates (the CA/Browser Forum retired it for new issuance starting September 2022), so anything you type here is dropped by the CA.
  • Organization: the legal name of your company, for example Example Corp LLC. Required for OV and EV certificates and validated against official records.
  • Country: the ISO two-letter country code (for example US, GB, DE). Required for every public certificate.
  • State (Province): the full name of your state or province (for example California), no abbreviation.
  • Locality (City): the full city name (for example San Francisco).
  • Subject Alternative Name: if the firmware exposes a SAN section, leave it empty for a single-host certificate. Most CAs add the Common Name as a SAN automatically. For multi-name coverage, order a SAN/multi-domain certificate and list the extra names with your CA at order time.
  • Key Type: RSA for the broadest compatibility. ECDSA (P-256) is fine if you control all clients and prefer smaller keys.
  • Key Length: 2048 bits minimum. 4096 is accepted by all major CAs and adds future-proofing at a small performance cost.
  • Enrollment Options: select Create a certification request and save it locally for later manual enrollment. This is the offline option that produces a CSR you submit to the CA yourself, rather than auto-enrolling with an internal CA.

Click OK. The device generates the key pair and the CSR, then returns you to the My Certificates list with a new entry whose Type is REQ (a pending request).

Step 4: Retrieve the CSR text

You now need the Base64 (PEM) text of the CSR to paste into your CA order form:

  • In My Certificates, find the new entry and click Edit (or the entry name).
  • Scroll to the Certification Request (or Certificate in PEM) box at the bottom of the screen. It contains the full PEM block bounded by —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–.
  • Copy everything from the first dash of the BEGIN line through the last dash of the END line.
  • If your firmware also offers an Export Certificate Request button, you can download the same content as a .csr file.

A valid CSR block looks like this (yours will be longer and unique):

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
... (many lines of Base64) ...
-----END CERTIFICATE REQUEST-----

Step 5: Submit the CSR to the Certificate Authority

Paste the CSR text into your CA order form (or the SSL Dragon checkout), then complete domain control and any organization validation the certificate type requires. Before you submit, verify the CSR with our CSR Decoder to confirm the Common Name, organization, country, and key size are correct. Catching a typo here saves a reissue later.

Do not delete the pending REQ entry in My Certificates. It holds the private key that matches your CSR; if you remove it, the issued certificate becomes unusable and you have to start over.

After the CA issues your certificate

The CA emails the signed certificate, usually as a .cer, .crt, or .p7b file (often packaged with the intermediate chain). To finish the install, open the same pending entry in My Certificates and use the Import action on that row to upload the signed certificate. The firewall pairs it with the private key it kept from Step 3, and the entry type changes from REQ to CERT. Then assign the certificate under Configuration > System > WWW (for the HTTPS admin page) or in the SSL VPN settings, depending on what you need it for.

Full step-by-step instructions, including the alternative PKCS#12 import for keys generated off-device, are in our companion guide: how to install an SSL certificate on Zyxel ZyWALL/USG. After installation, confirm the result with our SSL Checker.

Frequently Asked Questions

Where is the CSR option on a Zyxel ZyWALL or USG Flex?

In the web configurator, go to Configuration > Object > Certificate > My Certificates and click Add. Choose the enrollment option Create a certification request and save it locally for later manual enrollment. The same path works on the classic ZyWALL/USG, the current USG Flex, the ATP series, and the VPN series, since they share the ZLD firmware family. On the newer USG Flex H series, which runs Zyxel’s uOS firmware, use System > Certificate > My Certificates instead; the fields and workflow are the same.

What do I put in Common Name?

The fully qualified hostname your users will type to reach the firewall, for example vpn.example.com for an SSL VPN portal or fw.example.com for an HTTPS admin page. The name must resolve in public DNS for a publicly trusted certificate. Public CAs do not issue certificates to raw IP addresses, so pick Host IP Address only when you intend to use a self-signed certificate or a private internal CA.

Should I fill in Organizational Unit?

No. Leave it blank. The CA/Browser Forum retired the OU (Organizational Unit) field for publicly trusted certificates issued from September 1, 2022 onward, so any value you enter is stripped by the CA before signing. The form still accepts it for legacy and internal-CA cases, but for a public certificate it serves no purpose.

How do I get the CSR text out of the device?

Open the pending entry under My Certificates, scroll to the Certification Request box at the bottom of the edit screen, and copy the full PEM block (from —–BEGIN CERTIFICATE REQUEST—– through —–END CERTIFICATE REQUEST—–). On firmware versions that expose it, the Export Certificate Request button downloads the same content as a .csr file you can attach to your CA order.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.