Certificate authentication
Since the release of OpenVPN 2.x, certificate authentication has been the most prolific deployment of OpenVPN in the wild. The earlier static key only supported two remote endpoints, neither really being a client nor a server. This is not useful when more than a single remote client is desired.
Certificate chain overview
X.509 is a notable standard for Public Key Infrastructure (PKI), defining a hierarchical topology of CAs and their signed child certificates. The general concept is that, at that root of the chain, is an authority certificate, the CA. This CA certificate can be used to sign child certificates. Anyone (or thing, system, and so on) that trusts the root, inherently trusts the child certificates.
CA has the ability to sign child certificates with varying capabilities. Some will have differing key usage or KU; others might have subordinate CA rights. With cascading trust, subordinate CAs are generally given the same trust as their parent CA in a given...
