I'm vaguely aware of how SSL works, but this tactic doesn't seem secure to me. Imagine this scenario:
There is a free OpenVPN service that uses OpenSSL (Easy-RSA) to generate its own ca.crt (the server's CA certificate with public key) and ca.key (the server's private key). The organization also generates one client.crt (client's certificate with public key) and one client.key (client's private key). Then they package the ca.crt, client.crt, and client.key files with their custom OpenVPN installation package, and the certificates and keys never change. Every person who uses this organization's VPN service will have the same client certificate, the same public key, and the same private key (as well as the same protocol and cipher). Lastly, these items of interest can be acquired simply by filling out a registration form and installing their software.
This sounds like a huge vulnerability to me, but I'm only a novice as far as networking goes, if that. The reason I think this isn't protecting data is because if someone who is "listening" to your connection has the same public keys and private key available, couldn't they decrypt your communication with the server? But please, let me know what you guys think. Is such a setup still secure? And if it really is still secure, why/how? Does SSL create a purely unique key upon connection, even with the same client certs and keys being used? o.O
Thanks for reading. I hope to see your opinions and learn more about VPNs and SSL.