Thank you for the response!
For SAML authentication the certificate is being uploaded here.
The primary concern was how to introduce a company wildcard already signed certificate (*.domain.com) to the firewall.
I only found sk69660 describing a procedure starting with CSR and sending it to the 3rd part CA for signing etc.
But there is a way how to bypass CSR and proceed with already signed certificate.
we had a *x509.cer certificate with a *.key (private key)
first step was to rename *x509.cer to *x509.crt
make sure that the CRT file has the full certificate chain up to a trusted root CA.
second step was to combine *x509.crt with *.key
this step is documented in sk69660
[Expert@gw]# cpopenssl pkcs12 -export -out Final_cert_name.p12 -in *x509.crt -inkey *.key
Then the last step is just to upload it to the portal settings according to your picture or the other picture.
All worked like a charm.