Hi Richard,
Okay, I think we can address your last two points. I find it's less problematic during installation to append the CAcert to the end of the CA issued cert, but that's not a good reason to not do this.
So, uncomment the CA.pem line, and add a comment that CA.pem can alternately be commented out and appended to certfile.pem. By CA.pem, I assume you are referring to the CAFile and CADir values in ns/server/${server}/module/nsopenssl/sslcontext/users. CA.pem is currently only found in the Aolserver 3.3 nsopenssl part of config.tcl.
There's another clean up point that should be addressed at the same time:
removing '+SSLv2:' from users context CipherSuite.
Anything else?