raise another OpenVPN instance on a different port
generate a new key for it
transfer all clients to the new server
kill the old one

The installation package contains scripts.

build-ca
build-dh
build-inter
build-key
build-key-pass
build-key-pkcs12
build-key-server
build-req
build-req-pass
clean-all
inherit-inter
list-crl
Makefile
openssl-0.9.6.cnf
openssl.cnf
pkitool
README
revoke-full
sign-req
vars
whichopensslcnf

Copy the scripts to some working directory.
edit the vars file
set the certificates expiration date organization name email

export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="DE"
export KEY_PROVINCE="none"
export KEY_CITY="Berlin"
export KEY_ORG="vpn01 v.p.n.."
export KEY_EMAIL="[email protected]"

exit to a clean shell ,
run
after that, without leaving the shell, run in turn.

./build-ca ${NAME}
./build-dh
./build-key-server ${NAME}-server
"${OPENVPN}" --genkey --secret "./keys/${NAME}-ta.key"

And then for each client
Where OPENVPN=`which openvpn`
NAME="vpn01.gw01.common.vpn" is the common part of the keys name
i is the client number
Next you will get the files.
ca.crt - for clients and server (public)
ca.key - only on the machine that signs (do not store on the server!!!)
ta.key - for clients and for the server (secret)
dh2048.pem - (for server)
vpn01. gw01.common.vpn.server.crt - for server (public)
vpn01.gw01.common.vpn.server.key - for server (secret)
vpn01.gw01.common.vpn.client1.crt - for client (public)
vpn01 .gw01.common.vpn.client1.key - for the client (secret)
Save the entire directory with scripts including the created folder (keys) to a secret place and delete it from the server.
If you need to regenerate or revoke certificates.