Thanks cappalli,
We bought a public cert and uploaded it to our instants and it's currently working.
We also have an m3 controller that offloads to Clearpass for guest auth, documentation that I have found suggests I need to upload the cert as a "Server Cert" but I get an error saying there is a problem with the cert format.
I was able to upload it as a public cert, but it won't let me use it for captive portal.