A few things going on here, let me see if I can answer these by topic:
CIPHERS
We use TLS to handle the UI. So you're looking at TLS 1.0 1.1 and 1.2. With these, the default is TLS 1.2 only. There's a toggle on AMP Setup -> General -> Additional AMP services expansion -> "Disable TLS 1.0 and 1.1" which is defaulted to 'Yes'.
The ciphers you described have more of an impact for SSH which is in /etc/ssh/ssh_config. If this is your goal, you might look into 8.2.4 or newer where we added a toggle for FIPS enable at the CLI level - this sets it to only the Federal certified ciphers. Once you upgrade past 8.2.4, this will be a toggle in the AMPCLI Security menu, enabling FIPS ciphers requires a reboot.
APACHE mod_ssl
While you could do things in the background in 8.2.3 like installing mod_ssl, it is not advised since it's not a tested / supported change - so proceed at your own risk, but grab a nightly backup before you do (from the UI: System -> Backups page.
Also, any changes you make in the background now will be hard to get to / maintain when you eventually upgrade since 8.2.3 is 2 years old. 8.2.6 is the current general release with a patch update expected mid April. In releases 8.2.4 and newer - the root shell is gone and there's now the limited AMPCLI shell.
CLEARPASS
Clearpass and AirWave are 2 separate software products that live in their own install instances.
SSL certs
When you do upgrade, the AMPCLI menu makes the SSL cert change process easier as it gives you the option to load your own SSL cert, or generate a CSR to load in an official signed cert.
If you go the SSL cert, then we're expecting a cert that meets: "The file must be in PKCS12 format with ".pfx" or ".p12" filename extension and should contain both the private key and the certificate." The cert should be a bundle of the key, CA, and all the intermediates in the chain.
If you go the CSR route, then it will just be the PEM formatted cert with a *.crt extension.