In this tutorial, you will learn how to install an SSL certificate on SonicWall (SonicOS). On a SonicWall firewall you import the certificate as a single PKCS#12 bundle that contains the certificate, its private key, and the CA chain, then assign it to the services that need it: the admin web management page and/or the SSL VPN portal.
Generate a CSR code on SonicWall
If you have already applied for your SSL certificate and received the SSL files, skip the CSR section and jump straight to the installation steps.
CSR stands for Certificate Signing Request, a block of encoded text that holds the contact and domain details the Certificate Authority (CA) needs to verify your credentials before it issues your certificate. Generating the CSR also creates the matching private key; together the CSR and private key form the SSL certificate key pair. You have two options:
- Use our CSR Generator to create the CSR automatically. This is the simplest route, and it produces a CSR and a private key file you can download and keep together.
- Follow our step-by-step tutorial on how to generate a CSR on SonicWall.
Whichever method you use, submit the CSR to the Certificate Authority during your order. Keep the private key safe and in the same place as the CSR, because you will need that key later to build the PKCS#12 file. After the CA validates your request and issues the certificate, continue with the installation below.
Note: SonicWall firewalls import the certificate together with its private key as a single PKCS#12 file, so generating the CSR and key off the appliance (with our generator or with OpenSSL) keeps the whole process simpler. If you generated the CSR on a different system, that is fine; just make sure you still have the private key that was created with it.
Install an SSL certificate on SonicWall
After the CA issues your certificate, download the ZIP archive and extract it on your computer. You should have your primary (server) certificate, one or more intermediate (CA) certificates, and the private key you generated with the CSR. The steps below match SonicOS 7.x; the menu names for older 6.5 firmware are noted where they differ.
Step 1: Build a PKCS#12 (.pfx) file from your certificate and key
SonicWall imports a third-party certificate and its private key as one PKCS#12 file (extension .pfx or .p12). If your CA already gave you a .pfx file, skip to Step 2. Otherwise, combine your private key, your server certificate, and the CA chain into a single .pfx with OpenSSL:
openssl pkcs12 -export -out sonicwall.pfx -inkey server.key -in server.crt -certfile ca-bundle.crt
Replace server.key with your private key, server.crt with your issued certificate, and ca-bundle.crt with the file holding your intermediate (and root) certificates. OpenSSL prompts you to set an export password; remember it, because SonicWall asks for the same password when you import the file. If your private key has no chain file, you can omit the -certfile part, but bundling the chain now is what prevents browser trust warnings later.
On Windows you do not need OpenSSL. If the certificate was issued to a Windows machine, open the Certificates (Local Computer) snap-in in mmc, find the certificate, and choose All Tasks > Export, selecting Yes, export the private key to produce a .pfx file.
Step 2: Open the Certificates page in SonicOS
Log in to your SonicWall management interface as an administrator. In SonicOS 7.x, go to Device > Settings > Certificates. On SonicOS 6.5 in Manage view the path is Manage > Appliance > Certificates, and on older legacy firmware it is System > Certificates. The page lists every certificate currently on the appliance under the certificates table.
Step 3: Import the PKCS#12 certificate
Click Import to open the Import Certificate dialog. Select the option Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file. Then fill in the fields:
- In Certificate Name, type a label you will recognize later, for example your domain name.
- In Certificate Management Password, enter the export password you set when you created the .pfx file in Step 1.
- Click Browse (labelled Choose File or Add File on some builds), select your .pfx file, and confirm.
Click Import to load the certificate onto the firewall. When it succeeds, the new entry appears in the certificates table, and its status shows that the certificate is paired with a private key. Because you bundled the chain into the .pfx, the intermediate certificates are imported with it, so you usually do not need a separate CA import. If your CA provided the chain separately and you want to import it on its own, use Import again and choose Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem), or DER (.der or .cer) encoded file.
Step 4: Apply the certificate where you need it
Importing the certificate does not activate it on its own; you have to assign it to a service. Choose whichever applies to you.
For the SonicWall admin login page (HTTPS management): go to Device > Settings > Administration and open the Management tab (on SonicOS 6.5, Manage > Appliance > Base Settings). In the Certificate Selection drop-down, select the certificate you just imported, then click Accept. For the browser to trust the management page without a warning, the certificate’s common name (or a SAN entry) must match the hostname you use to reach the firewall, so use an FQDN rather than the raw IP address.
For SSL VPN remote access: go to Network > SSL VPN > Server Settings. In the Certificate Selection drop-down (which defaults to Use Self-signed Certificate), select the certificate you imported, then click Accept. This is the certificate users see when they connect to the SSL VPN portal, so a publicly trusted certificate removes the warning that the default self-signed certificate triggers.
Step 5: Restart the affected service
SonicOS applies the new certificate as soon as you click Accept, and the management or SSL VPN service restarts its HTTPS listener. Your browser session to the admin page may drop briefly while the appliance switches certificates; log back in using the hostname that matches the certificate. If a service does not pick up the new certificate, toggle it off and on, or reboot the firewall during a maintenance window from Device > Settings > Restart (SonicOS 6.5: Manage > Appliance > Restart).
That is it. Your SSL certificate is now installed and active on SonicWall.
Test your SSL installation
After installing the certificate on SonicWall, run an SSL scan against the public hostname and port (the management page or the SSL VPN portal) to confirm the certificate and chain are served correctly and to catch any errors. To do this, use our SSL Checker to test your SSL certificate.
You can also confirm the certificate is present and correct on the appliance: open Device > Settings > Certificates, select the entry, and view its details to check the issuer, the common name, and the validity dates, so you can be sure the right certificate is in place and not expired.
Frequently Asked Questions
A SonicWall firewall imports a third-party certificate together with its private key, and the PKCS#12 format (a .pfx or .p12 file) is the container that holds the certificate, the matching private key, and the CA chain in one password-protected file. If you import only the certificate without the key, SonicOS cannot use it for HTTPS or SSL VPN. Build the bundle with the OpenSSL command in Step 1, or export it as a .pfx from Windows.
In SonicOS 7.x, go to Device > Settings > Certificates. On SonicOS 6.5 in Manage view, the path is Manage > Appliance > Certificates, and on older legacy firmware it is System > Certificates. From there you import certificates, view their details, and delete ones you no longer need.
After importing the certificate, go to Device > Settings > Administration and open the Management tab, then select your certificate from the Certificate Selection drop-down and click Accept. The browser only trusts the management page without a warning when you reach the firewall by the hostname in the certificate, so use the FQDN that matches the certificate’s common name or SAN, not the raw IP address.
Go to Network > SSL VPN > Server Settings, open the Certificate Selection drop-down (it defaults to Use Self-signed Certificate), choose the certificate you imported, and click Accept. SSL VPN users then see your publicly trusted certificate when they connect to the portal, instead of the browser warning the self-signed default produces.
The two most common causes are a missing intermediate (CA) certificate and a hostname mismatch. Make sure the chain was included when you built the .pfx (the -certfile part of the OpenSSL command), and confirm you are reaching the firewall by the exact hostname in the certificate, since a difference between the URL and the certificate’s common name or SAN also triggers a warning. If you assigned the certificate but the old one still appears, restart the affected service so SonicOS serves the new one.
SonicOS can create a certificate signing request, but the private key then stays on the appliance, which complicates a PKCS#12 import later. For most installations it is simpler to generate the CSR and key off the appliance, with our CSR Generator or with OpenSSL, so you can bundle the issued certificate and key into a .pfx and import that. See our guide on how to generate a CSR on SonicWall for the details.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


