Thanks for pointing me in the right direction.
I ttried easy-rsa (part of openVPN windows client), followed instruction README.txt:
To generate TLS keys:
Create new empty index and serial files (once only)
1. vars
2. clean-all
Build a CA key (once only)
1. vars
2. build-ca
Build a DH file (for server side, once only)
1. vars
2. build-dh
Build a private key/certficate for the openvpn server
1. vars
2. build-key-server <machine-name>
vars file has this:
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf
set KEY_DIR=keys
set KEY_SIZE=1024 (tried 2048 as well)
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=
noname@noname.domain
set KEY_CN=router
set KEY_NAME=openvpn
set KEY_OU=IT
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234
the process mentioned in the README.txt creates everything fine. Copied content of ca.crt, server.crt, server.key, dh.pem to Content modification of Keys & Certification section. Which generates all files on the router (content matches files generated on my laptop). I then copied new client.ovpn file on my laptop. But when I connect using client I get this error "Cannot load inline certificate file: error:0906D06C
EM routines
EM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file
EM lib"
when router creates server through it's usual means (1024 cert), all works fine. Manual process (with 1024 or 2048) isn't working.