This refers to the open source firewall IPFire

Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions:

• On the OpenVPN configuration page start with the button “generate root/host certificate”, but do not generate them, but use the import dialog on the bottom with an existiong file of format PKC#12 and with suffix .p12. It needs to contain the host key and certificate signed by your CA.
• Import your CA's certificate in the form below the list of OpenVPN root and host certificates
• Generate or import Diffie-Hellman parameters
• You need to deposit a valid copy of the certificate revocation list in ipfire's filesystem at /var/ipfire/ovpn/crls/cacrl.pem
• As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the “Add” button in the client list, just use the “upload” feature instead of “generate …”.
• When creating client certificates by TinyCA2, pay attention to unset the “add email address to CN” checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.

• If a clients certificate subject consists only of the comon name (CN), TLS verification will fail due to the regular expression used in /usr/lib/openvpn/verify to get the value of CN=…