You can replace the RAP factory certifictes - it was a requirement from our security team...
We've imported our org CA cert and have an org signed cert on the controller ( Config / Certificates )
That signed cert is then used for the IKE Server Certificate ( Advanced Services / VPN Services ), we then added the org CA cert to the CA Certificate Assigned for VPN-Clients
After the RAP converted initially, we target rapconsole.arubanetworks.com via a WLAN connection to the RAP ( made a change to the default policy to allow local http console access )
Then on the Certificate tab, we then upload our CA signer cert, generate and sign the CSR on the RAP then after a reboot they associate with the flags R2uE when they connect to the staging controller.
We have a staging controller that still allows the factory cert and our cert for the RAP connectivity, after the RAP's are validated as R2uE we then associate them with one of our Prod Internet facing controllers where the factory certificate has been removed as an IKE Server Certificate ( There is an additional command to remove the factory cert for the IKE Server Cert ( you can't do this in the UI - talk to your SE ))
Though now for us, if you reset the RAP you can no longer use it externally, you have to bring it back in to our bench area to re-associate it with the staging controller and go through the process of getting a new cert, a reset wipes any non factory certs.... Also I believe i've read that there is SCEP in the works to make this a whole lot smoother?