@NetDevOp from your output the node is a Policy Services Node (PSN), assuming your endpoints use 802.1X for authentication then  you are using the EAP certificate.

RADIUS DTLS would only be used if your NADs (switches, WLC etc) have been configured to encrypt the RADIUS communication, if your NADs have the configuration as per the following guides then you are using that certificate also.

https://community.cisco.com/t5/networking-knowledge-base/configuring-radius-over-dtls-with-cat9k-and-ise-3-0/ta-p/4438427

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222537-configure-radius-dtls-on-ise-and-9800-wl.html

If none of the NADs are configured to use RADIUS DTLS, then that certificate is not in use, you can check each NAD to confirm whether DTLS is required.

Typically you would use an internal CA signed certificate from a Active Directory CA or a public signed certificate for EAP, as the client devices will trust the certificate issued from the AD domain or a public signed certificat. Using an ISE self-signed certificate the endpoints are unlikely to trust without distributing the CA certs.

The ISE Admin certificate could be self-signed.

Refer to this guide for more information on ISE certificates.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html