Ok, so you're trying to generate a server certificate for your VPN server.
I am trying to generate/gather all the files I need for the server side so that when its done it works like yours. Where I don't have to issue client keys, and all that. (Just a config file and the public key ca.crt file). They can just follow the well documented steps in the wiki that work for yours.
So I don't need to build a Certificate Signing Request after all?
For this step, we actually do not need *anything* from LotW/TQSL side (and can not use any)! Just use any openvpn server setup guide's instructions for setting up a CA and generating a server certificate out from that CA. That CA cert is then given to the openvpn client, so that the client can make sure it is talking to the correct server.
This is what I have done before. Builds a private root ca, and all the rest.
./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh
The first line makes sure we start from scratch. The second generates a key for the Certificate Authority (ca.crt and ca.key). The key for the server itself is generated on the third line (server.crt, server.key, and server.csr) . Repeat the forth line for each client that needs to connect (client1.key, client1.csr, client.crt, etc). Finally, we need the Diffie Hellman key as well, which is generated on the fifth line (dh1024.pem).
In my server config file: ca ca.crt cert server.crt key server.key dh dh1024.pem
The LotW certificates are only used for authenticating the client. The server's "ca" config option points to the LotW root certs bundle. The cleint's "ca" config option points to the private CA which signed the server's certificate.
A paragraph ago I thought you said build ones own private root ca...
But it sounds like you are now saying I just copy: C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root over to the server, rename it to ca.crt?