The one thing to remember is that the 802.1X standard doesn't particularly care if the certificate is valid or not (from a CRL / OCSP standpoint) for PEAP.
When you get that popup on the client, its simply saying, you've never connected to this network (ESSID) and I don't have a configuration for it, do you trust this server (certificate) to send your credentials to?
It would be the equivalent of walking into a TD Bank and them handing you a deposit slip with a Bank of America logo. You probably shouldn't put your account number down on that slip since you know you are inside a TD Bank.
This was a good chunk of my 802.1X presentation last week at Airheads. Here's the slides:
http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211