Tal, thanks for the follow up.
Most of that I already knew. As I have said, I have a functioning openvpn server. The only thing it lacks is the ability to work with client keys that folks extract from their lotw credentials. I have to issue client keys to people and that is what I am trying to get away from.
I really need a watered down step by step guide on how to do this till it all clicks in my mind. Multi-factor authentication is pretty confusing and new to me yet.
As I have said the client key extraction and documentation in the wiki is easy to understand, I just wish the same existed for the server end.
http://wiki.ampr.org/wiki/AMPRNet_VPN
It appears I need to build certificate signing request (maybe I am wrong). Again its not clear to me where/how to extract the root certificate from the ARRL LOTW program.