If you want to use LotW keys, you CAN NOT generaty any keys.
Let me motivate:
- LotW has a CA certificate, and its private key. - using those, it generates some intermediate certificates, public and private keys. - using those intermediate certificates, it generates the public and private keys for the user which are sent to him.
To generate user keys, you NEED the private keys of the intermediate certificates, which you do not have. These are needed to sign the newly generated keys.
To set up an encrypted communication channel, as in open VPN, each side needs to have its own public AND private key, and either the public key of the peer. To be able to trust the peer, meaning to certify it is the real peer, one can either manually establish this trust (like manuaally accepting the certificate in ssh on first connection), or check its signature against a trusted intermediate certificate, which in turn can be checked against the root certificate. To do this, you only need the public certificate, not its private key. These public ca and intermediate certificates are the ones distrbuted by LotW. This allows you to check the validity of a user certificate, but prevents you from issuing your own (because you do not have their private keys).