please see Configuration->User Interface. You can import any certificate you have a private key file for. Additionally you can create a self-signed certificate. If you need to generate a CSR to have it signed by an external source this needs to be done via openssl on the command line, it can't be done on the UI. The UI can only import an already signed certificate.
A key and certificate request can be generated with the following command:
openssl req -nodes -newkey rsa:2048 -keyout mwg.key -out mwg.csr
This can be done on any system with openssl, it is not restricted to the Web Gateway. It is even possible to do it with Windows.
The command will generate a new RSA key with keylength of 2048 bits, saved as mwg.key. The actual CSR will be called mwg.csr.
You will be prompted for several pieces of information. This is put into the CSR so that the certificate is issued for the proper company and hostname.
After being signed by your CA, the certificate and key are imported into the UI. The MWG never needs to see the CSR.