Assuming bidirectional keypair authentication with valid certificates, such as dates, etc., no tls-crypt, no CRL and no checks for common names.
Is that also the reason for using a private CA, instead of a public one?
SnapOverflow
Not just OpenVPN - this is how PKI works, period. Your processes trust the issuing CA, so that they can be presented a certificate that they haven't seen before, they can trust that it was issued by a CA they trust.