Using APIC-EM PKI service, there is now way to change that. Either use own internal PKI service using your own trustpoint configuration from Prime. BTW PKI service on APIC-EM  for PnP clients are pretty much useless. I fact I will says it is not supported. It is only supported on IWAN application service.  (That includes 1.6) The documentation is horrible. You have no way revoking certificates, no easy way on the GUI to change certificates on the clients when the certs expire.  Cisco even recommend to have more than 2 years expire date because of that. And this is in my mind total brain damage. It is more secure to use preshared keys. I think you probably better off using AAA with ISE with shared keyes. You get unique password per node and a centralised service.  You probably could do more PKI services using API or  with open SSL. But going down that line:  The documentation is so poor that the hair you pull out will not grown back again if you want it to work. Cisco have very poor PKI services for Cisco nodes. ISE (2.3) does not support it. IOS PKI is quite old, but only works with SCEP for provisioning and CRL with all their weaknesses. . Tried using ECDSA based certificates? IOS-XE support it, but does not work, to many bugs. (Tried it on 3850: 16.3.X). Tried provisioning certificates with EST? Cisco have no EST central service. Total stop in development. No activity in their github.  I recommend using other 3 party PKI services other than Cisco.