If you have p12 cert package, like from PfSense for example, you need to extract certs first.

# Extract CA Certificate

openssl pkcs12 -in test.p12 -cacerts -nokeys -out CA.crt

# Extract Client Certificate

openssl pkcs12 -in test.p12 -clcerts -nokeys -out client.crt

# Extract Client Key

openssl pkcs12 -in test.p12 -nocerts -out client.key

# To avoid entering the password each time, you can remove the passphrase from the private key:

openssl rsa -in client.key -out client-nopass.key

# Edit wpa_supplicant.conf file

nano /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=SI

network={
ssid="WIFI-SSID"
key_mgmt=WPA-EAP
eap=TLS
identity="your-identity"
ca_cert="/path/to/CA.crt"
client_cert="/path/to/client.crt"
private_key="/path/to/client-nopass.key"
# Uncomment the following line if your private key has a passphrase
# private_key_passwd="your-passphrase"
}

# Set permissions

chown root:root /path/to/CA.crt /path/to/client.crt /path/to/client-nopass.key
chmod 600 /path/to/CA.crt /path/to/client.crt /path/to/client-nopass.key

# Start Wifi connection

wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

# open /etc/network/interfaces and paste this:

auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

# Reboot Pi and connection should be established