Strange situation, issued self-signed CLIENT cert on mikrotik and imported into Win7 does not work, because Win7 cannot verify its authenticity, but if I import the CA cert from the mikrotik which was used to sign the CLIENT certificate then Win7 can connect, but at the same time if I remove CLIENT certificate from Win7 and leave only CA cert - this is enough for Win7 to connect to SSTP server on mikrotik.

In SSTP server settings I have the CLIENT certificate selected, not CA.

Should I set a CA cert on mikrotik as "non trusted"?

It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate.
...
This scenario is also not possible with Windows clients, because there is no way to set up client certificate on Windows.

In other words, Windows clients can't use client certificates.

Windows client does not use client certificate. Only server side verification is happening.

And how WIN7 client verifies mikrotik Server? Only by the CA cert? If I issue CA cert on mikrotik, gonna set it as CERT on SSTP server settings and import to WIN7 - this chain gonna work fine? After CA cert is expired no connection would be possible?

Standard config is one CA certificate and it's used to sign server certificate. Server uses server certificate (as could be expected) and client needs CA certificate to verify server. If you get server certificate from official trusted CA, you don't need to do anything on client. If you use your own CA, you need to add CA certificate on client. A self-signed certificate for server, which you would also need to add to client, should probably work too.

So I need to import CA (that was used to sign the cert that is stated in SSTP server settings) to WIN7 and that would be enough? As soon as CA cert is expired - no connection is possible?

As soon as CA cert is expired - no connection is possible?

That's the whole idea about certificate validity.