It all depends on your setup. We generally recommend running a frontefacing webserver that proxies dynamic content (/xas and /ws) to the mendix runtime. I don't know about the specifics of IIS (and how we integrate the ssl certificates exactly), but there's loads of info on the interwebs on how to hook up your SSL certificates to either nginx or apache.
I don't know what you mean exactly by using tomcat, the runtime uses jetty internally, which doesn't have support for SSL certificates.