Using a certificate from a trusted PKI is almost pointless. A certificate verifies that the DNS name you are accessing actually belongs to the server you end up talking to. With PEAP (eap EAP-TTLS) the WiFi client does not know the DNS name of the RADIUS server it will be talking to. The most you could do is to create a group policy to pre-mark it as a trusted certified. It is often easiest to deploy a Microsoft CA server on one of your existing servers, so it is AD integrated, and then let the NPS servers request the certified. Having the CA server part of AD makes all the AD joined computers trusted it automatically. For customers that don't have Microsoft CA deployed these days I frequently generate special self signed certificates using openssl, and then just create a group policy to tell all AD members to trust the certificate. But the process is quite complicated to explain. Using the Microsoft CA is much easier if you have not done it before.
... View more