This guide shows you how to install an SSL certificate on a Zyxel ZyWALL/USG firewall (including the current USG FLEX and ATP models running ZLD firmware).
Generate a CSR on Zyxel ZyWALL/USG
CSR stands for Certificate Signing Request: a block of encoded text containing your contact details and public key. To obtain a third-party SSL certificate, you generate a CSR and submit it to a Certificate Authority (CA) for validation. You have two options:
- Use our CSR Generator to create the CSR and a matching private key on your own machine.
- Follow our step-by-step tutorial on how to generate a CSR on Zyxel ZyWALL/USG.
Where you generate the CSR decides how you install later. If you create the CSR on the firewall (Configuration > Object > Certificate > My Certificates > Add), the private key stays on the device and you simply import the issued certificate on its own. If you generate the CSR off-device (for example with our CSR Generator or OpenSSL), the private key lives in a file on your computer, and you must reunite it with the certificate inside a PKCS#12 bundle before importing (see the next section). Submit the CSR to the CA during checkout, complete validation, and continue with the installation below once your certificate is issued.
Install an SSL certificate on Zyxel ZyWALL/USG
After the CA validates your order, it emails you the certificate. Download the archive and extract it on your local machine. Which path you follow next depends on where the private key is.
Step 1: Choose the right import method
- CSR generated on the firewall: the matching key is already stored in the pending My Certificates entry. Import the issued certificate by itself (Step 2A).
- CSR generated off-device (our CSR Generator, OpenSSL, another server): the firewall has no key to pair with the certificate, so you must import a PKCS#12 bundle that carries the certificate, chain, and private key together (Step 2B). This is the most common case.
Step 2A: Import a certificate when the key is already on the device
If you generated the CSR on the ZyWALL/USG, import the file the CA sent you (typically .cer, .crt, or .p7b):
- In the web configurator, go to Configuration > Object > Certificate > My Certificates.
- Click Import.
- Click Browse and select the certificate file the CA issued.
- Leave the password field blank (the key is already on the device, so no PKCS#12 password is needed) and click OK.
- The status of the matching entry changes from a pending request to an installed certificate. Continue to Step 3 to apply it.
Step 2B: Build and import a PKCS#12 bundle (key off-device)
The ZLD firmware will not accept a bare PEM/CRT when the matching key is not already on the box, and it cannot read a private key on its own. Bundle everything into one .p12 file with OpenSSL. Run this on any machine that has OpenSSL (Linux, macOS, or Windows with the OpenSSL/Git tools), in the folder that holds your files:
openssl pkcs12 -export -out yourdomain.p12 -inkey yourdomain.key -in yourdomain.crt -certfile ca-bundle.crt
- -inkey yourdomain.key: the private key generated alongside your CSR.
- -in yourdomain.crt: your issued (primary/leaf) certificate.
- -certfile ca-bundle.crt: the intermediate (and root) certificates, so the firewall serves the full chain of trust. If the CA sent the intermediates as separate files, concatenate them into one ca-bundle.crt first, or pass the bundle file your CA provided.
OpenSSL prompts for an Export Password. Set one and remember it; you will type the same password when importing into the firewall. Then import the bundle:
- In the web configurator, go to Configuration > Object > Certificate > My Certificates.
- Click Import.
- Click Browse and select your yourdomain.p12 file.
- Enter the Export Password you set in the OpenSSL command, then click OK.
- The certificate now appears in My Certificates with its private key attached.
If the import is rejected, some firmware builds reject a PKCS#12 file that contains intermediate certificates. In that case, rebuild the .p12 with only the leaf certificate and key (omit -certfile), and import the intermediate/root certificates separately under Configuration > Object > Certificate > Trusted Certificates.
Step 3: Apply the certificate
Importing a certificate does not put it into service. You have to select it for the feature that needs it.
- Web admin (HTTPS management): go to Configuration > System > WWW, set Server Certificate to your imported certificate, and click Apply.
- SSL VPN: go to Configuration > VPN > SSL VPN (on older firmware, Configuration > Object > SSL Application / the SSL VPN access settings) and select the same certificate as the server certificate.
If you changed the web admin certificate, your browser session may drop while the service restarts; reconnect over HTTPS and confirm the new certificate is being served.
Check your configuration
After installation, verify that the firewall serves the certificate and the complete chain. Browse to the management URL or SSL VPN portal over HTTPS and confirm the padlock, then run an external scan with our SSL checker for an instant report on the certificate, chain, and protocol support. You can also confirm the served certificate from any machine with OpenSSL:
echo | openssl s_client -connect your-firewall-host:443 -servername your-firewall-host 2>/dev/null | openssl x509 -noout -issuer -subject -dates
This prints the issuer, subject, and validity dates of the certificate the firewall presents. If you manage the device on a custom port, replace 443 with that port.
Where to buy the best SSL certificate for Zyxel ZyWALL/USG?
SSL Dragon is your source for all your SSL needs. Our intuitive, user-friendly website walks you through the entire range of SSL certificates, and every product is signed by a trusted Certificate Authority and fully compatible with Zyxel ZyWALL/USG, USG FLEX, and ATP firewalls. Enjoy some of the lowest prices on the market and dedicated support for whichever certificate you choose.
Frequently Asked Questions
If you generated the CSR on the firewall, import the issued .cer, .crt, or .p7b file directly. If the key was generated off-device, bundle the certificate, chain, and private key into a PKCS#12 file (.p12 / .pfx) and import that, because the web configurator cannot import a standalone private key.
That almost always means the certificate and its private key were never paired. Importing a plain .crt when the matching key is not on the device leaves an unusable entry. Rebuild a .p12 bundle that includes the key (see Step 2B) and import that instead. If a bundle containing intermediates is rejected, export the .p12 with only the leaf certificate and key, and add the intermediates under Trusted Certificates.
You usually do not need to convert anything; .pfx and .p12 are the same PKCS#12 format. If your tool produced a .pfx and the firewall only lists .p12, simply rename the file extension from .pfx to .p12 before importing.
For the HTTPS management interface, set it under Configuration > System > WWW as the Server Certificate. For remote access, select the same certificate in the SSL VPN settings. Importing alone does not activate a certificate.
Yes. The current USG FLEX and ATP firewalls run the same ZLD firmware family as the classic ZyWALL/USG, so the menu path Configuration > Object > Certificate > My Certificates and the PKCS#12 import process are the same. Exact wording can vary slightly between firmware versions.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


