As a side note, starting with ClearPass 6.5, you can configure Web based Provisioning to allow 'unsupported devices' to manually onboard. If Onboard detects an unsupported device, it will offer the user to generate and download a certificate that can be installed on the device by the end-user.
This might be a useful alternative for the manual certificate creation by the admin.