Hi! Thanks for contributing.

Can you tell me a bit about when and why you needed this? I'm trying to keep mkcert a focused tool, and CSR support adds complexity and documentation needs.

Just trying to understand if this fits in the mkcert target use case.

Sure, I can.
There are some servers which don't allow to import a private key for security reasons. Instead, they provide you with a CSR, you sign it (or give it to a Trusted CA to get it signed) and you have to upload the signed Certificate.
This has the following background: The more you copy a private key around, transfer it over network, etc. the more likely it becomes that it will get compromised. So generating it exactly where you need it and never ever creating any copy of it helps to keep it secure.
One example is the "SAP Cloud Platform Cloud Connector".
Another use-case are Trusted Execution Environments (like Intel SGX). To ensure the key is only known to the TEE it can never leave the TEE (or get generated outside). As far as I know, this is currently only relevant to research (but researchers also like simple tools).

Hi @FiloSottile,
also I would greatly appreciate support for Certificate Signing Requests. In the SAP Environment that I'm working in I do have no direct access to the private keys and can get singed certificates only via a CSR.
Best regards
Gregor

Hi @FiloSottile, like @gregorwolf said, CSR support would be of great help. Please please accept this PR. I would really appreciate that!

Implemented this with the same -csr flag, but took the occasion to refactor code and handle gracefully CSRs that come without SANs.

Thanks for the details on the use case!