func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) { template := x509.CertificateRequest{ Subject: pkix.Name{ CommonName: domain, }, } if len(san) > 0 { template.DNSNames = san } if mustStaple { template.Extensions = append(template.Extensions, pkix.Extension{ Id: tlsFeatureExtensionOID, Value: ocspMustStapleFeature, }) } return x509.CreateCertificateRequest(rand.Reader, &template, privateKey) }