It's not just arcane it's a horrible idea from an infosec perspective. Thinking about all my wonderful developers having local trusted root CAs just sitting on their hard drives is making my blood pressure skyrocket.
I have it boiled into a few shell scripts that generate the cnf files needed. OpenSSL has improved its CLI beyond the old Perl script that had long been used for running a local CA and you get fine grained control over what features you want.
