Hi!
A CSR can be exported from the gateway and be signed by a CA. After that, it can be imported back into the gateway. Export and import an be done using RESTMan.
I did that with a gateway running here: oauth.blog If you check the certificate, you can find that it is signed by LEt's Encrypt.
Best regards!