Simply not going to happen. Even if you did get the cert out of some device, you still have to have that device's model/serial to authenticate. (the cert isn't unique to each device.)
In this, you're better off with the NVG as there are tricks to get it in a true bridge mode, while still doing the dot1x auth.