LuCI's OpenConnect Client with user cert and key

Hello, comrades.

Past few hours I've been trying to get subject working. I have a 19.07.1 with luci-proto-openconnect pkg installed and got a pfx personal cert from my org. Converted it to PEM format with

openssl pkcs12 -in my_cert.pfx -nocerts -out cert.pem

and removed a passphrase from PEM with

openssl rsa -in cert.pem -out cert.key

Also, I've got a CA cert in base64 format.

Everything provided is properly used in webgui and yet can't connect to my org. Here is log: openconnect[11874]: POST https://? openconnect[11874]: Connected to ? openconnect[11874]: SSL negotiation with ? openconnect[11874]: Server certificate verify failed: signer not found
daemon.notice netifd: (11874): Certificate from VPN server "?" failed verification.
daemon.notice netifd: (11874): Reason: signer not found
daemon.notice netifd: (11874): To trust this server in future, perhaps add this to your command line:
daemon.notice netifd: (11874): --servercert ...
daemon.notice openconnect[11874]: SSL connection failure: Error in the certificate.
daemon.notice openconnect[11874]: Failed to open HTTPS connection to ?

As far as I understand I should not get any errors related to server's certificate SHA1 hash because I provided a CA cert to validate server's certificate Sigh

Ok, I've added proposed hash to the config and re-ran. Got the following error:

Your certificate is invalid for the selected group

Yeah, right, but there is no auth group is provided by server. Ok, I tried auth group DEFAULT. No luck.

On Windows, OpenConnect-GUI connects without any troubles. Does not ask for auth group either. I looked into log for some info and noticed this

16:29:33 | 1878 | Connected to ?
There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
16:29:33 | 1878 | There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
16:29:33 | 1878 | There was a non-CA certificate in the trusted list: CN=Root Agency.
16:29:33 | 1878 | Using client certificate 'username'
16:29:33 | 1878 | Adding supporting CA 'ACME External CA 2'
16:29:33 | 1878 | SSL negotiation with ?

These strings about cert are absent on openwrt. So, my guess is openconnect does things wrong .. or me.

Who can help me to deal with this issue?