Thanks! I appreciate you taking the time to help me figure this out.
I've read OpenVPN's documentation and their cert revocation only appears for revoking client certs, not for revoking server certs. It therefore doesn't look applicable for revoking server certs. I also reached out to OpenVPN per your recommendation, to see if they have any additional advice.
> solve the problem (a compromised certificate) by replacing the client's OpenVPN configuration file to use a new, trusted, certificate
Awesome! So it sounds like the tunnelblick trust store would have to be updated so that it contains either (a) only the new server cert, or (b) a new intermediate cert that was never used to sign the compromised server cert, or (c) a new root cert that was never used to sign any cert in the chain from which the client cert exists.
That makes me wonder: Is it a Tunnelblick best practice to only include the server (leaf) certs, not anything in its certificate chain in the Tunnelblick configuration / trust store, in order to minimize breadth of impact if a certificate is compromised (roughly equivalent to pinning to the server cert)? This would insulate entirely against the root's or intermediate's private keys being compromised, and would avoid having to reconfigure / replace trust stores in unaffected tunnelblick configurations in the event of a breach, in exchange for higher maintenance costs for maintaining tunnelblick configurations for regular certificate rotation periods.