802.1x certificate checking is a big mess because it is totally unclear what the certificate should certify.

The WiFi alliance should have specified a domain name instead of an SSID, then you could just have checked the certificate for that.