I guess we are using the term CA differently. A certificate authority to me is one of the 650 countries or companies that get their root certificates installed in various products like browsers. So if the NSA can get any one of those root certificates, they can sign a client certificate to MITM you (unless the certificate is pinned). With OpenVPN you are given one root certificate by your provider. It's a lot harder to MITM because the client certificate has to be signed by that one root certificate, not any one of 650. Unless there are other weaknesses in the protocol, OpenVPN is a lot safer than HTTPS, which can be broken by stealing, hacking, or brute forcing any of the root certs in your browser. The CA system is shit precisely because it relies on the security of 650 independent entities, and is only as secure as the most insecure one, and we know some of them have been hacked. We can also be 99.9% certain many of them have turned their root certs over to the NSA. Meanwhile, a random person or organization that signs their own cert is not a certificate "authority" by my definition. I can sign cert for my web server and your browser will act like your computer is going to explode when you encounter it. Although if you accept my certificate, you can't be MITMed there after.