OpenVPN with Duplicate Client Certificates & Keys

[Kiros72]

I'm vaguely aware of how SSL works, but this tactic doesn't seem secure to me. Imagine this scenario:

There is a free OpenVPN service that uses OpenSSL (Easy-RSA) to generate its own ca.crt (the server's CA certificate with public key) and ca.key (the server's private key). The organization also generates one client.crt (client's certificate with public key) and one client.key (client's private key). Then they package the ca.crt, client.crt, and client.key files with their custom OpenVPN installation package, and the certificates and keys never change. Every person who uses this organization's VPN service will have the same client certificate, the same public key, and the same private key (as well as the same protocol and cipher). Lastly, these items of interest can be acquired simply by filling out a registration form and installing their software.

This sounds like a huge vulnerability to me, but I'm only a novice as far as networking goes, if that. The reason I think this isn't protecting data is because if someone who is "listening" to your connection has the same public keys and private key available, couldn't they decrypt your communication with the server? But please, let me know what you guys think. Is such a setup still secure? And if it really is still secure, why/how? Does SSL create a purely unique key upon connection, even with the same client certs and keys being used? o.O

Thanks for reading. I hope to see your opinions and learn more about VPNs and SSL.

[OnlyHuman]

You're right. That would be extremely dangerous. But, who would do that? Throughout most of public key cryptography, key pairs (public AND private) are generated on a per client basis. Otherwise, it defeats the purpose, almost exactly to the letter how you described it. I can't say that 100% of organizations follow this, but if they don't, they're definitely fooling themselves as far as their security is concerned.