To do EAP-TLS termination on the controller, you first need to generate server certificate for the controller. You then need to go to Configuration> Management> Certificates and upload the Server Certificate as well as the CA certificate that generated the Controller Server Certificate. You then need to go into your 802.1x profile and select the name of the Controller Server Certificate and the CA certificate.
After that, you can enable EAP-TLS termination. It might however break your EAP-PEAP Termination if your clients do not trust the new CA selected or the Controller Server Certificate that you selected. It will be a tough migration without doing some testing ahead of time.