One of those enlightenment moments that I should have had sooner: every time I have seen someone set up an OpenVPN VPN, they have generated all the certificates on the VPN server as root using easy-rsa. This is kind of strange, because you end up with an incredibly sensitive directory on the VPN server containing every private key for every client. Another angle is whether you trust the random number generators used to create all these keys - does your hosting provider use a weak RNG?

Note to self: when disabling Range headers in Apache to fix CVE-2011-3192, be sure to read the updated advisory and also disable Request-Range headers. (Presumably not "Range-Request" as in the summary of that link?) Or just apply the handy Debian update, of course.