Sure you can use a self signed certificate, but that means either distributing and installing your self signed root cert on end devices, or not using certificate checking (and making yourself more vulnerable to man in the middle attacks).
The middle ground is a free letsencrypt cert, which assuming you can either expose your freepbx box port 80 or proxy the http challenge to the box takes moments to create.
To use the self managed OpenVPN integration, you need the commercial sysadmin module.
If you want to roll your own openvpn setup, sky’s the limit (but so is the complexity).
I recommend self signed. If you go with LE, it has a short expiry so auto-renewal is a must. You’ll have to wait for a cert to be up for renewal to even test it. Many things unrelated to FreePBX (router/firewall, domain registrar, etc.) can break it.
With self-signed, you can set a 10-year expiry; when that happens it will probably be someone else’s headache. The CA cert doesn’t have to be ‘installed’ anywhere; just include it in the .ovpn files you distribute.
The FreePBX Distro has OpenVPN already installed. You just need to create config files for the clients and server, not different from any other Linux system. There are many guides available.