You can create CA on Mikrotik itself, then create certificate for server (and sign it using CA), then create client certificate (and sign it using CA), export client certificate (protected by password, because RouterOS doesn’t export private key without password) and configure IPSec identity based on this certificate.
http://forum.mikrotik.com/t/ipsec-ike2-with-certificates-vpn-server-guide-for-remote-access/149434/1
or this
https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf