You can sign it with your own CA if required, but it works without it as well. I wanted to explore a possibility of a cert only sign on where SP requires username as part of the subject. SM allows usage of automatic attributes there like owner email or device serial number. I just got the code wrong. It should read CN= [owner email] not just [owner email].
Trusted access is not really our cup of tea. We do want to restrict access to prod WiFi to enrolled devices only and WiFi settings payload does a good job as it is. Custom certs, however, provide a flexible way to implement passwordless authentication and I can generate different certs for different subsets of users accessing different SPs. If Meraki ever implements a SRL, that would be great.