You can't create a TLS tunnel without a certificate, but you can work around the problem:
1. Create a self-signed certificate for the target server's (= the Internet server using TLS 1.2) domain names:
tlsproxy certgen -s "CN=example.org" -a "example.org,www.example.org" -b 2048 example.pfx
2. Configure the TLS 1.0 server to trust this self-signed certificate. That means either adding 'example.crt' to the Root CA store of the account under which the server runs (if it uses Windows certificate API) or to the server's list of trusted root CAs.
3. Create the TLS 1.0 to TLS 1.2 tunnel.
(Please note that the certgen command creates a certificate signed with RSA/SHA-256 algorithm. If the TLS 1.0 server is very old and does not support RSA/SHA-256 yet, you would have to create a certificate signed with RSA/SHA-1 instead. Unforutnately, the certgen command does not support that. It's an omission and we will add this functionality to the next release. If it turns out you need this feature, let us know and we'll send you a download link when the new version is ready.)