You can configure the captive portal to use HTTP by configuring the port in the captive portal profile as "80".
You can also import an SSL certificate from a well-known Certificate Authority into the IAP cluster by combining the certificate, the intermediate and the private key into one PEM certificate.
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
PRIVATE KEY
-----END RSA PRIVATE KEY-----
You can even use any web server you like too and configure the captive portal there. I have done this before by first using the internal captive portal, view and copy the source HTML from that portal and reverse engineer the code into a custom captive portal on an external web server. This also works.