No, I do not see they need a TLS key.
Create a CA in pfSense using the blob contained within<ca></ca>
Create a certificate in pfSense using the blobs contained in the and
In the OpenVPN client:
Server Mode: Peer-to-Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Server host or address: vpn.trust.zone
Server port: 443
Place the correct username and password
Be sure TLS authentication is unchecked
Be sure the CA you created is selected in the Peer Certificate authority
Be sure the certificate you created is chosen in the Client Certificate.
Encryption Algorithm: AES-256-CBC
Auth Digest algorithm: SHA512 (eyeroll)
Be sure Don't pull routes is unchecked