Hey Roland,
I am still wondering if anyone can tell me which of the three LoTW root CA certificates is tested by OpenVPN, or if all three are being tested?
Heikki Hannikainen previously mentioned in email that there are machine certs, the primary cert for the root CA, and an intermediate cert. He listed *three* specific bullet items in his email which correspond to each of the three certificates that you mentioned (not necessarily in that order though). So, though seemingly an overly complicated implementation of certificates in the behalf of the ARRL, you need to trust all three.
Since all three certificates can be downloaded and as such look "official" to me I am left with doubt that I can make my VPN work at all since I got a cert that is signed by a different CA than Heikki showed on the list.
Certs do get replaced from time to time and maybe they upgraded the machine cert recently. Dunno. Maybe Hessu (Heikki) could add links to specific certs he's been successful so that you can compare.
--David KI6ZHD