But I agree, making it more difficult (force the user to consult the man page and look up the flag -- see openssl cert generation) would be better.