If you have not yet added a root and intermediate certificate, created a Certificate Signing Request (CSR), and ordered your certificate, see CSR Creation for a Checkpoint VPN Appliance.
Open the Device you are going to have the SSL Certificate served from, then go to IPSec VPN, click Complete, then find your_domain_com.crt then click Ok.
If you are allowing Clientless VPN login, click that option, then select the certificate for this specific gateway (cert nickname).
To allow VPN Client login, click that option under IPSEC VPN, then choose 'SSL Network Extender' and select the certificate by its nickname and click 'Ok'.
Click the Install policies button (next to the green checkmark button above the 'Anti-spam & Mail' tab, and see image below)
Select which Installation Targets the certificate will be sent to.
You can choose to install this certificate on each gateway by clicking the radio button, and as a safeguard, you can click the box to not install it at all if it fails.
To help you track database changes, you can click the checkmark and name the database change, and leave a comment about it.
This will reset the settings and push the new policy out to clients.