Hi,
This is what i do with private CA (using openssl), you may get it done using public CA.
1) Generate CSR for FQDN of captive portal. (for example, the url of my captive portal is vc1.panda.internal, this should be resolvable by DNS of client devices)
2) Submit this CSR to CA (public/private)
3) CA will provide you (depending on the encoding format) probably a .crt file and .key file
4) These files can be opened in notepad. You will see begin certificate --- end certificate in .crt file and begin private key, end private key in .key file.
5) Combine both these files. Simply copy .key file content to .crt file like below
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIJAMmKxQ6aKcBzMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
upub3KvnMEtPMUHPs4GsmyhiL0TOjVcdWc2ScPgYrgcv/1Pcbh7qErQsd/q+iMYK
nNmUIlWCTIT1fQTdgqSq5uXFoNan3mpf06cyPESG1Q==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvw1jGLQcFOYExHQUUEhovsEwuVEvkcrBbJymvld+y3NhZMp6
OkeJrPtXItZRIt7PLS+a+iwJvlEKAWimmH9U4eSKRZAaK6t+fjrx2OzXMkcb8tDD
JP8KP/mR3bPuoQT8U8jGJUKqEdwa2mrgv4kW775fdAyOCri/vnrEOpk=
-----END RSA PRIVATE KEY-----
6) Go to maintenance window > Certificates. Select captive portal and format should be CER, upload the newly updated file, next you have to enter the password for private key, simply enter any password you like and upload.