I think it would make a ton of sense to have a new verb "mkosi genkey" or so, which generates a suitable keypair and self signed certificate for the secureboot stuff and places it in the right files (i.e. mkosi.secure-boot.crt + mkosi.secureboot.key), if they don#t exist yet. The openssl commands for that are a bit obscure, hence wrapping that nicely would make sense. The CNs and stuff should be encoded in some new mkosi.defaults settings I figure. At least initially I wouldn't make this too configurable, i.e. just pick some good crypto params and stick to them. If people want to fine-tune the crypto params they can always generate the keys themselves.

mkosi could either shell out to openssl for this, or (probably better) use the appropriate Python-native API for generating them?

(it might make to add some extra checking btw, that ensures that mkosi.secure-boot.key is not readable by anyone else, and maybe even warn if it is noticed that it is managed in git, which is probably a bad idea given its secret nature)