Hi,
First - the certificate request should have been created o nthe Firewall. You cannot sign a CSR generated on some other machine, sign it with a CA and load it on the Firewall for local use.
Once a CSR is created on the Firewall, you can submit the CSR for signing to the CA. The Firewall will retain the private key, which cannot be extracted out.
Once you receive signed cert from CA, please start with step-3 of the KB shared by Rushi.