You can import the password-protected pfx at the REST admin directory using the "Import Existing Server Certificate" operation. You will need to do this for both Server and Portal to establish trust.
Server Admin directory: Navigate to machines > [machine name] > SSLcertificates > importExistingServerCertificate and browse to your CA-signed pfx certificate.
Then, go back to your Machine page and click "edit."
For "Web server SSL Certificate", add the alias of the CA-signed certificate that you just imported:
You will need to do the same at the Portal Admin directory. Navigate to Security > SSLCertificates > Import Existing Server Certificate and browse to the CA-signed cert.
Then, navigate to Machines > Machine Name > SSLCertificates > Update and specify the alias for the imported certificate.
Hope this helps!