Gotcha, yeah, I spent some time reading all this through last night too.
The certificate is hard coded on the BGW. Seems there’s a tool that we can use to extract that: https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
There are a lot of people that has this down and working on Ubiquiti routers.. We should be able to do the same. Also another thread related: http://forum.mikrotik.com/t/wpa-supplicant-on-rb4011/129677/1