bg-tutorials

How to Install an SSL certificate on Zyxel ZyWall USG

This guide shows you how to install an SSL certificate on a Zyxel ZyWALL/USG firewall (including the current USG FLEX and ATP models running ZLD firmware).

Generate a CSR on Zyxel ZyWALL/USG

CSR stands for Certificate Signing Request: a block of encoded text containing your contact details and public key. To obtain a third-party SSL certificate, you generate a CSR and submit it to a Certificate Authority (CA) for validation. You have two options:

Where you generate the CSR decides how you install later. If you create the CSR on the firewall (Configuration > Object > Certificate > My Certificates > Add), the private key stays on the device and you simply import the issued certificate on its own. If you generate the CSR off-device (for example with our CSR Generator or OpenSSL), the private key lives in a file on your computer, and you must reunite it with the certificate inside a PKCS#12 bundle before importing (see the next section). Submit the CSR to the CA during checkout, complete validation, and continue with the installation below once your certificate is issued.

Install an SSL certificate on Zyxel ZyWALL/USG

After the CA validates your order, it emails you the certificate. Download the archive and extract it on your local machine. Which path you follow next depends on where the private key is.

Step 1: Choose the right import method

  • CSR generated on the firewall: the matching key is already stored in the pending My Certificates entry. Import the issued certificate by itself (Step 2A).
  • CSR generated off-device (our CSR Generator, OpenSSL, another server): the firewall has no key to pair with the certificate, so you must import a PKCS#12 bundle that carries the certificate, chain, and private key together (Step 2B). This is the most common case.

Step 2A: Import a certificate when the key is already on the device

If you generated the CSR on the ZyWALL/USG, import the file the CA sent you (typically .cer, .crt, or .p7b):

  1. In the web configurator, go to Configuration > Object > Certificate > My Certificates.
  2. Click Import.
  3. Click Browse and select the certificate file the CA issued.
  4. Leave the password field blank (the key is already on the device, so no PKCS#12 password is needed) and click OK.
  5. The status of the matching entry changes from a pending request to an installed certificate. Continue to Step 3 to apply it.

Step 2B: Build and import a PKCS#12 bundle (key off-device)

The ZLD firmware will not accept a bare PEM/CRT when the matching key is not already on the box, and it cannot read a private key on its own. Bundle everything into one .p12 file with OpenSSL. Run this on any machine that has OpenSSL (Linux, macOS, or Windows with the OpenSSL/Git tools), in the folder that holds your files:

openssl pkcs12 -export -out yourdomain.p12 -inkey yourdomain.key -in yourdomain.crt -certfile ca-bundle.crt
  • -inkey yourdomain.key: the private key generated alongside your CSR.
  • -in yourdomain.crt: your issued (primary/leaf) certificate.
  • -certfile ca-bundle.crt: the intermediate (and root) certificates, so the firewall serves the full chain of trust. If the CA sent the intermediates as separate files, concatenate them into one ca-bundle.crt first, or pass the bundle file your CA provided.

OpenSSL prompts for an Export Password. Set one and remember it; you will type the same password when importing into the firewall. Then import the bundle:

  1. In the web configurator, go to Configuration > Object > Certificate > My Certificates.
  2. Click Import.
  3. Click Browse and select your yourdomain.p12 file.
  4. Enter the Export Password you set in the OpenSSL command, then click OK.
  5. The certificate now appears in My Certificates with its private key attached.

If the import is rejected, some firmware builds reject a PKCS#12 file that contains intermediate certificates. In that case, rebuild the .p12 with only the leaf certificate and key (omit -certfile), and import the intermediate/root certificates separately under Configuration > Object > Certificate > Trusted Certificates.

Step 3: Apply the certificate

Importing a certificate does not put it into service. You have to select it for the feature that needs it.

  • Web admin (HTTPS management): go to Configuration > System > WWW, set Server Certificate to your imported certificate, and click Apply.
  • SSL VPN: go to Configuration > VPN > SSL VPN (on older firmware, Configuration > Object > SSL Application / the SSL VPN access settings) and select the same certificate as the server certificate.

If you changed the web admin certificate, your browser session may drop while the service restarts; reconnect over HTTPS and confirm the new certificate is being served.

Check your configuration

After installation, verify that the firewall serves the certificate and the complete chain. Browse to the management URL or SSL VPN portal over HTTPS and confirm the padlock, then run an external scan with our SSL checker for an instant report on the certificate, chain, and protocol support. You can also confirm the served certificate from any machine with OpenSSL:

echo | openssl s_client -connect your-firewall-host:443 -servername your-firewall-host 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, subject, and validity dates of the certificate the firewall presents. If you manage the device on a custom port, replace 443 with that port.

Where to buy the best SSL certificate for Zyxel ZyWALL/USG?

SSL Dragon is your source for all your SSL needs. Our intuitive, user-friendly website walks you through the entire range of SSL certificates, and every product is signed by a trusted Certificate Authority and fully compatible with Zyxel ZyWALL/USG, USG FLEX, and ATP firewalls. Enjoy some of the lowest prices on the market and dedicated support for whichever certificate you choose.

Frequently Asked Questions

What certificate format does a Zyxel ZyWALL/USG need?

If you generated the CSR on the firewall, import the issued .cer, .crt, or .p7b file directly. If the key was generated off-device, bundle the certificate, chain, and private key into a PKCS#12 file (.p12 / .pfx) and import that, because the web configurator cannot import a standalone private key.

Why does my Zyxel certificate import fail or show no private key?

That almost always means the certificate and its private key were never paired. Importing a plain .crt when the matching key is not on the device leaves an unusable entry. Rebuild a .p12 bundle that includes the key (see Step 2B) and import that instead. If a bundle containing intermediates is rejected, export the .p12 with only the leaf certificate and key, and add the intermediates under Trusted Certificates.

How do I convert a .pfx file to .p12 for Zyxel?

You usually do not need to convert anything; .pfx and .p12 are the same PKCS#12 format. If your tool produced a .pfx and the firewall only lists .p12, simply rename the file extension from .pfx to .p12 before importing.

Where do I apply the certificate after importing it?

For the HTTPS management interface, set it under Configuration > System > WWW as the Server Certificate. For remote access, select the same certificate in the SSL VPN settings. Importing alone does not activate a certificate.

Does this work on USG FLEX and ATP models too?

Yes. The current USG FLEX and ATP firewalls run the same ZLD firmware family as the classic ZyWALL/USG, so the menu path Configuration > Object > Certificate > My Certificates and the PKCS#12 import process are the same. Exact wording can vary slightly between firmware versions.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.