There are many places in VyOS where certificates and keys are used of various types: VPN (OpenVPN, IPsec, L2TP, SSTP, Wireguard), HTTP API. These user-supplied certificates need to be verified for the proper format before they are applied to the configuration. Currently each script does its own checking, and some don't check the files at all.
To prevent duplication of code, a common crypto library should be created that uses either the python cryptography package or standalone CLI tools called through subprocess. cryptography package should be preferred since it natively offers all operations that openssl does, and openssl wasn't designed to be called in batch mode, so sometimes hacks are required to prevent it from asking for passphrases on stdin.
Op-mode commands to generate keys, CSRs, CAs and certificates could be implemented using this library. This is currently possible through manual use of openssl or downloading easyrsa. (some very limited op-mode tools are already available, but aren't useful in many circumstances)
Some scripts (OpenVPN) also need to modify behavior depending on which key type is used (RSA or EC) so a way to check which type is supplied is needed.
It should include:
-key generation functions of various types (RSA, EC, SSH) and sizes
-certificate type checking (whether it's RSA, EC, ...)
-encrypted key checking (if a given key is encrypted with a passphrase or not)
-self signed and externally signed CA creation (where the user doesn't want to host his CA on a more isolated system - this should be discouraged)
-SSH private and public key generation of various sized
-SSH private key checking for encryption (if it's encrypted with a passphrase or not)
-DH parameter generation of various sizes
-OpenVPN-specific TLS key generation (as generated by openvpn --genkey --secret)
-Wireguard key generation and checking