It is not advisable to use a self-signed certificate for the Captive Portal as it us unlikely that the clients will trust it thus breaking the Captive Portal. InstantOS does not have the ability to generate a CSR, so you should do this 'off box'.
Once you have the Certificate from your CA, ensure it is in .pem format for it to be uploaded. You will need to include the Root & Intermediate CAs as well if using a Public Cert.
The below link, although not directly related to your task it does contain some good information.
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=153ef9a1-a573-4ccb-80cb-3edac3ce2869------------------------------
Craig Syme
------------------------------
Original Message:
Sent: Jan 15, 2021 06:13 AM
From: jose perez
Subject: Certificate captive portal expired
------------------------------
jose perez
------------------------------