Wow, what an interesting question... And my part :)
I didn't like OpenConnect. Some kind of clumsy knee-length piece, for which you almost write scripts yourself - very much reminded me of a raccoon (racoon), in which everything also seemed to work, only all this had to be tied up with a bunch of scripts.
Here the question immediately arises - where is CA? Is the standard screw CA used or manual? The standard Windows CA is practically useless for software that is not from M$ - it stupidly does not know how to work with it - and even in order to get them into MS Outlook mail, you have to beat a huge tambourine.
Then the second question - what do you mean by "with the help of certificates"? Is it just a server certificate and a remote host certificate, or say a user certificate and a server certificate? More information is needed - who should cling to AD, what certificates are meant, where they come from, etc.
The task is not easy and quite possibly unsolvable in the current formulation.