Chapter 6. Certificates and Authentication
There are many methods of authentication available within OpenVPN. At its introduction, OpenVPN supported only a simple pre-shared key but today supports X.509 certificate chains, user and password authentication, and third-party authentication plugins and scripts. Each of these can be used separately, or they can be combined to form a robust authentication and authorization framework.
Along with robustness, complexity creates potential confusion and adds difficulty in troubleshooting authentication issues, understanding how the individual components affect the connection process and where logic is applied in accepting or rejecting a client or user.
Mismanagement of your PKI can have great consequences, whether your PKI is relatively local in scope (a single organization or hobbyist's systems), or global, such as a public certificate authority (CA) providing certificates to customers. There were two cases in 2016 of trusted CAs ...