diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files
index 1be138b..10e6ca6 100755
--- a/bin/ovpn_copy_server_files
+++ b/bin/ovpn_copy_server_files
@@ -2,14 +2,24 @@
 ## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
 ## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
 
-source "$OPENVPN/ovpn_env.sh"
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
 
 TARGET="/tmp/openvpn_${OVPN_CN}"
 if [ -n "$1" ]; then
     TARGET="$1"
+else
+    TARGET="$OPENVPN/server"
 fi
 
 rsync --recursive --verbose --prune-empty-dirs \
+    --exclude="clients" \
+    --exclude="server" \
     --include "*/" \
     --include "/pki/private/${OVPN_CN}.key" \
     --include "/pki/ca.crt" \
@@ -19,6 +29,6 @@ rsync --recursive --verbose --prune-empty-dirs \
     --include "/openvpn.conf" \
     --include "/ovpn_env.sh" \
     --exclude="*" \
-    "$OPENVPN/" "$TARGET"
+    "$OPENVPN/" "$TARGET" -n
 
 echo "Created the openvpn configuration for the server: $TARGET"
diff --git a/docs/paranoid.md b/docs/paranoid.md
new file mode 100644
index 0000000..e936f85
--- /dev/null
+++ b/docs/paranoid.md
@@ -0,0 +1,11 @@
+# Advanced security
+
+As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it a server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
+
+Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
+
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_initpki
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
+
+The `ovpn_copy_server_files` script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.