For anyone stumbling across this thread:
As Cory (NQ1E) has explained lotw is making a transition to a newer certificate authority which IS NOT signed by the older ca, i.e. it is unrelated.
With the help from Tom SP2L I have figured out that the current certificate of the openvpn access point is the older lotw cert.
If you got signed by the newer cert you likely will not be able to access the openvpn like me. (I cannot prove that but since cannot access it and I only have the newer cert I have the strong suspicion that my claim is true)
73 de Roland, oe1rsa
On 27.10.2015 at 21:37 wrote Cory (NQ1E):
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
-Cory NQ1E