[dmart]

Funny, when I looked at this my first impression was how much nicer the (hypothetical) GUI looked to use, with all of the functionality easily discoverable without digging through man pages and rewriting your intentions in terms of obscure flags.

To clarify, I'm not saying the GUI is actually better. But I wish we could bring some of those conveniences to the command line experience (way better autocomplete and command discovery).

[xoa]

Another second order factor is that precisely because the GUI just puts it all out there visually, it creates encouragement to start imagining what can be eliminated/automated, or at least shoved behind "advanced options (rarely needed)". What can be sane modern defaults vs reinventing the wheel each time. There are a ton of options in OpenSSL almost nobody should ever use in 2022 including some genuine footguns. Without discipline, CLIs are easy to just keep adding to, and scripting may well encourage that in the typical nature of creating a dependent ecosystem that discourages breakage. Not that there can't be really bad ginormous GUIs too but minimalism has a bit more human psychology behind it there.

Of course, for precisely that reason there are lots and lots of examples (particularly under "modern" "clean/flat" design tastes) that go to the opposite extreme and remove too much, get too information light and hide or eliminate stuff that's genuinely very important. But in the specific context of security software at least the current best practices thinking is that the fewer knobs and dials the better. A huge amount is purely legacy from when there were many more tradeoffs to be made in available compute power/memory vs security, but that fell away long ago in settings that would make use of complex CAs anyway vs something simpler. Not that simple CLI/text configs can't be easy too, look at WireGuard.

This topic strikes a little close to home right now too since I just went through an incredibly frustrating period of trying to put together some internal CAs with modern best practices (like name constraints) and it was quite the maze to get through. And having done it (or at least Good Enough) it definitely didn't need to be that hard. Ah well. Although then again, my experience also highlights to the perils of GUIs at the same time: I would have just used something like the built-in web gui CA generator on OPNsense, except it's so simple it lacks name constraints. Which then led me back into the red in tooth and claw world of openssl and ca config files. So there's the binary of both, an over simplistic GUI and an over complex CLI. Perhaps there are better tools bridging that gap but my searching failed :(.

[tuckerpo]

Yeah, I'd prefer a GUI in this instance over going back and forth to the man page and trying to remember all of the options and all of their formats.

[bombcar]

It really comes down to "is this a one-time task you're trying to figure out" or do you want the options set once and never touch it again in a script.

With the CLI at least you can cut and paste the options from somewhere else.

[solar-ice]

Microsoft solved this for a lot of their server stuff by having a "show me the powershell command" at the end of most wizards. If you want to write a script, going through this process is usually a good idea.

[0daystock]

Google Cloud does this also - shows the equivalent gcloud command line to execute APIs available through the UI console.

[imwillofficial]

This is awesome

[paledot]

"Cut and paste the options from somewhere" is a questionable practice even when it's not part of a security-critical workflow. And yet I'd venture to say that most people who use OpenSSL do so with commands copy-pasted verbatim from the internet, specifically because of its obtuse complexity.

Set-and-forget still requires you to know what to set.

[Ekaros]

And leads to doing things with little of understanding how and why it actually works in the first place.

[paledot]

You presume that I can gain any insight at all by copy-pasting a series of arcane invocations from the internet.

[fenesiistvan]

I dont't konwn, if you realized that this user interface is just one of the many tabs

[Asooka]

The best design for me would be a CLI with a GUI on top and a "show command" button for when I find the right options to use.

[BeFlatXIII]

I've got a visual memory. I'm going to remember some obscure sub-menu on a forgotten screen far better than a command I learn and expect to use exactly once when I inevitably need to find it a second time.

[toastedwedge]

At first glance, it would be better with more separation of sections rather than cramming it all on one page. After a while it does become unruly, but it could be improved over time and after test case reports.

Some common functionality in tab ABC, and then opt-in for Headache Mode if necessary.

[jstimpfle]

This isn't even a GUI. It's only an image.

[imwillofficial]

It’s a joke

[jstimpfle]

You missed my point.

[jstimpfle]

Whoever downvoted me, let me expand: Since this is not a GUI, but only an image, maybe a GUI is not necessary?

[Rexxar]

Next time, you can start with the expanded version to avoid to do 3 messages and one complaint for downvotes.

[jstimpfle]

That makes me think... was your comment really necessary? Maybe it was my intention to let the reader draw their own conclusions. Maybe the expansion wasn't really necessary. I surely wouldn't have added another comment if there weren't the unnecessary downvotes.

Thank you for your time!