I don’t believe that you need to re-generate the certificate authorities and keys. I will do a check on that and report back to confirm.
You don’t have to delete the old ones but in that case the new ones need a different connection name and a different user/hostname for the certificate. The Openvpn WUI page will tell you if you are duplicating a name. However if you want to change the Hash Algorithm or Encryption then the old client connections will no longer work and then it make sense to delete them.
You can always bring them back by a restore (make sure you do a backup before deleting everything so you can restore if needed.
If you are creating new client certs then it makes sense to use the strongest security options.
For the Hash Algorithm the best currently is SHA2 512 bit or Whirlpool 512 bit. I use the SHA2 512 bit as that is more commonly used and therefore most clients will be good with that… The Whirlpool 512 bit is also good but not so commonly used. The SHA2 works with my Linux and Android clients with no problems.
For the Encryption the best is usually at the top of the list in the drop down box. In this case that bis AES-GCM 256 bit. That is the one that I use and it works with my Linux and Android clients.
If you want to use the Openssl-3.x based certificates note that for Android you will need version 13 (or possibly 12, not yet confirmed). See
https://community.ipfire.org/t/results-found-with-certificates-created-with-openssl3-x/9894
No problems at all, that is what the forum is for. 