Do OpenVPN servers use CA certificates? I know they usually give you a cert called ca.pem, but I thought that was a self-signed cert. Every guide I've seen for setting up OpenVPN servers includes instructions on generating these certs, with no mention of buying them from certificate authorities. Most of these are 2048 bits, so not trivial to brute force, unless there are other weaknesses, or they steal the root certificates of major VPN providers. Perhaps it's a good idea not to use popular providers that everyone talks about, like HideMyAss and Private Internet Access, since these will be big targets for certificate theft.