I really appreciate you clarifying this requirement for us.
You have options.
If you are using the licensed version of Centrify (I'm saying this because this is in the Express forum).
You should be able to use a the "Enable Machine Wi-Fi Profile" GPO and the native ability of the client to use Microsoft PKI and auto-enrollment to help you simplify this process.
Here's a checklist approach: http://community.centrify.com/t5/TechBlog/HOWTO-A-checklist-approach-to-enable-802-1x-networking-on-OS-X/ba-p/19838
Alternatively, if you don't have the licensed version, you could leverage the adcert command to get the certificate pulled into your Keychain store provided that you have Microsoft PKI set up correctly. This could work with another CAs if you are creative enough :-)
Ultimately, what we are trying to avoid here is a solution that will rely on a password (embedded or vaulted) because ultimately it's not a "kosher" security practice.
Robertson