I had followed a DigitalOcean tutorial and deployed OpenVPN & CA servers (EasyRSA) for my team in order to remotely access some infrastructure; and this has worked very well for us.

However, I am new to OpenVPN and Certificate Authorities, so I don't exactly understand how they interact with each other - I just followed the tutorial.

My questions:

1. Why do I need to deploy a whole CA server on the internet instead of simply signing keys with my Local PC or some local VM?
2. Does this CA server have to be online 24/7, or do I only run it when I need to sign new client keys?

Aside from gaining technical knowledge, I also want to reduce the cost by not running this CA server all the time, hence my two questions.

Things I learned:

• OpenVPN documentation clearly explains why the CA has to be a different machine for security purposes, but not whether this service must always be online.
• I tested connecting to the VPN while the CA server is offline, and the VPN connection worked. - I still don't understand what's going on exactly from CA perspective when a clients connects.

Thanks for checking my question.