First you need to understand how wifi is working. There are more layers, to simplify it:

- wifi frames
- aes encryption
- wpa2 protocol (key exchange, encryption)
- eap auth

Basically wpa2 is there to get keys for aes encryption (every packet is encrypted) and those keys are changing in time. Normally packets of all clients are encrypted with same aes key, so you can listen for (encrypted) communication of other clients. But when you are using also EAP protocol in wpa2 (sometimes called wpa2-enterprise) then each connected client has different aes key and therefore you cannot monitor & decrypt communication of other clients. EAP protocol is there for client authentication plus for keyring material needed for aes ecryption.

EAP as stand for Extensible Authentication Protocol is easy protocol which could support lot of algorithms/methods which can provide authentication plus way for exchaning wpa2/aes keys.

EAP methods PEAP, TLS and TTLS uses TLS protocol for creating secure channel between client and AP. EAP is unencrypted protocol.

So next layer is TLS. Same implementation like in web browsers (https). Server send public part of server certificate and all certificates in signed chain by some certificate authority.

To be sure that you are speaking with correct TLS server, you need to have (at least) fingerprint of trusted certificates in your local store. Same as with https.

So, you need to trust certificate because:

* it is used for creating secure tunnel with server in which you send your username & password for autentication to wifi hotspot (in case for PAP and GTC, password is in plain-text)

* it is used for exchaining aes keys between client and wifi hotspot, keys are used for encrypting all packets

Yes, but I really do not know if it work...