Here's your options:
If you're supporting BYOD devices without Onboard, you'll need to get a publicly signed certificate.
If you're supporting only managed clients (Group Policy or Profile Manager/MDM), then you can use a self-signed certificate.
If you're using Onboarding for ALL users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.
If you're using Onboarding for ALL user and doing dual SSID onboard, you can use a self-signed or private RADIUS server cert, but you need a public web server certificate.
If you're using Onboarding for some users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.
If you're using Onboarding for some users, and doing dual SSID onboard, you'll need a publicly signed RADIUS and web certificate.