Partial workaround - use a Classical active and passive Monitoring checks rule to call the check_tcp plugin directly (Check MK uses this under the hood anyway):
The only issue is that variables are not interpolated under Service description, and this has to be unique per-host. You could always create a host for each certificate if this is a problem.