Best practice for using and securing one's self-signed certificates (first time user!)

I need to enable a small LAN to handle incoming VPN and a lightweight SSL web server. It would be my first time doing this. I understand the concepts of certificate chains quite well, but I don't have personal experience so far, of the practical aspects of creating, safeguarding and employing certificates on a LAN.

The situation here is pretty simple. It's a small domestic LAN (192.168.x.x), with 3 desktops and a soft "M0n0wall"-style *nix router able to terminate OpenVPN/Stunnel (external IP range 1.2.3.8/29, internal IP 192.168.2.2). There are no public DNS entries or a domain structure, and no internal DNS, just a single external IP, router, unmanaged switch, and a few LAN devices running Windows. The rest is done via DHCP + NAT on the router.

The owner wants VPN that terminates on the router itself. The end result should be that when logged in remotely with VPN, for all intents and purposes their laptop is treated as on a LAN connection - once VPN is established, it gets allocated a private IP by the router's DHCP server, connections t that private IP are rerouted to the laptop via VPN, the owner can connect to local mapped file shares and printers as normal, and while on VPN, the laptop uses the router (via its LAN + DHCP) as its WAN gateway.

(What I mean is, when VPN is connected, it uses the router for both the VPN ingress/termination, and *also* as the sole WAN gateway, so that the router's firewall + cache + other functions will be active on the laptop's WAN traffic as normal once connected to the LAN via VPN).

I understand how certificates and other functions work, and I can figure out getting VPN to work if the certificates are correct but the actual "how to start using self signed certificates and keep them secure" is not easy to find. I hope these aren't "dumb" questions. So I want to be a bit clearer before starting, about some of the key security aspects that are new to me:

1. I know the private certs must be kept "secure", but how is this done? Unlike passwords, the VPN and web servers needs the private and public cert in "plaintext". Can they be held, or backed up within config, in encrypted form, as they need to be used in plaintext?
   
   
2. Do I need different public keys for each function (VPN + web server), or will one be enough for all of them? Or am I getting confused and there's a also a separate "signing key" or "signing certificate" that I create first, that's then used to sign the VPN and web server's private and public keys? What exact certificates do I need to create for this setup anyway?
   
   
3. Which certificates are stored where? Which ones do I need to especially safeguard? Which ones should be saved within the VPN or web server for their use, and which should I keep "offline" (permanently non-networked old laptop/USB) to ensure they can't be misused if penetrated?
   
   
4. As self-cert certificates can be freely created at will, is it worthwhile to replace them with new public/private certificates regularly, and ditch the old ones, or is this a dumb thing to do? Do I need to keep a "revocation list"?
   
   
5. Verifying an https certificate chain, or establishing a VPN connection, probably requires one or more of the public certificates to be stored on the remote device as a certificate authority. Which certs would I need to tell the owner to add as authorities?

The owner's doesn't need a lot of certificate functionality, basically just a small web server and VPN, so what practical steps do I need to follow, not to do something dumb

Thanks!