With EAP Termination, the EAP tunnel termination point is moved from the RADIUS server to the controller or Instant AP. So you always need a certificate for EAP-PEAP (not recommended) or EAP-TLS operations on either RADIUS server or AP/Controller.
This feature was introduced in the time that RADIUS server lacked good support for EAP-PEAP/EAP-TLS or could not handle the cryptographic load. These days it is no longer recommended to use EAP Termination on the AP or Controller, and in general you should put the certificate on the RADIUS server.