If you already have an SSL certificate through a certificate authority such as Thawte or Verisign, you need to configure your application server to use the certificate. It can then be used by the Pentaho Server. Apache provides documentation for configuring Tomcat for CA-signed certificates: http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html. Just follow those procedures, and skip the sections below that deal with self-signed SSL certificates.
After the application server is configured to use your certificate, you must modify the base URL tokens for both the Pentaho Server and the User Console. Make sure you follow the directions for changing the Pentaho Server Base URL. Without executing those changes, your server will not work over HTTPS.