Indeed it is best to create your own private Certificate Authority and create the EAP/RADIUS certificate from there. If you have MS Active Directory Certificate services, check this video for some guidance. Otherwise you can use OpenSSL (Google and you will find). Or buy a publicly signed SSL Server certificate.
Check the ClearPass Certificates 101 Technote for some more background on which RADIUS (EAP) certificate to generate/purchase.
If you really want to get the certificate in order to import it into your clients, it probably is the same certificate that is used for the WebUI. So you can export the certificate when you have the Instant WebUI open with the browser tools. Be warned that you cannot export/backup the private key so if you need to reset the IAP config or want to replicate the solution to another location, you can't. For that (and more reasons), don't use the default cert.