You can password protect your key file so that ed an extra password is needed to connect with openvpn. It will also work with embedded certificates in .ovpn
You can simplify OpenVPN distribution by only use one file for both config and certificates. A normal .ovpn file with separate .key and .crt files looks like this.
client dev tun dev-node Dalesjo VPN proto tcp remote my-server 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verb 3 comp-lzo yes ca DALESJO-OpenVPN.crt cert DALESJO-SADAL.crt key DALESJO-SADAL.key tls-auth DALESJO-Server.tls 1