I'm about 50-50 on new CA installations for getting it to work right without a lot of pain. Usually I generate keys in a BSD virtual machine rather than on my mac, but it looks right. I am going to break down now and do the PKI on a windows server in hopes that it makes things less painful.
Apparently there is a way to import things directly into the Kechain, but I don't remember the details.
The easy-rsa scripts provided with OpenVPN can make the process much easier.
But, once you are using PKI, I understand you are much better going with IKEv2 than L2TP; routing and mobility are much cleaner.