You can basically convert it anywhere, where you have openssl. As long as you keep in mind, that leaving the private key somewhere is not a good idea so you should have a plan where to save the key in a safe space, later on. (In most cases I create the csr "off the box", import the p12 and save the keys etc. in safe spaces.)
And you won´t need to do that (key / csr creation) on the gateways/management server, as certificate is imported via SmartConsole.
So csr and private key are compatible but the cert is not. when opening the server certificate with windows or issue
cpopenssl x509 -noout -in <certfile> -text
cpopenssl req -noout -in csr.csr -text
and see, if this is the certificate you expect (see fields like " X509v3 extensions: // X509v3 Subject Alternative Name:" vs "Requested Extensions: // X509v3 Subject Alternative Name")
Did you edit the openssl.cnf before creating the csr? You should at least configure some names and so on (Hostnames the cert will be issued for) within the file.