MachPower:~ tperfitt$ /Applications/Certificate\ Request.app/Contents/Resources/tcscertrequest 
tcscertrequest  -s <server dns name> -c <name of ca> -t <template name> [-r <csr path>] [-k <path_to_keychain>] [-y] [-m <yubikey_management_key] [-s <yubikey slot]

tcscertrequest is a command line tool to send a certificate request via RPCs to a Microsoft certificate authority.

Options:
    -r <csr path>           Path to certificate signing request in binary (DER) format. Can use "openssl req -nodes -newkey rsa:2048 -keyout domain.key -out domain.csr -subj '/CN=computername' -outform der" command to generate.
    -g <Common Name>        Generate CSR with Common Name. Certificate will be generated with RSA 2048 bits SHA512 
    -n <label>              Label in keychain for imported identity
    -s <server path>        CA Server DNS name.
    -c <name of ca>         Name of the certificate authority.  This is not the server name but the name used in the Common Name of the issuing authority.
    -k <path to keychain>   keychain to store certificate and private key. Stores in user keychain if not specified.
    -y                      generate key in Yubikey.  Requires slot (-l) and management key (-m)
    -l <Yubikey slot>       Specify yubikey slot. For example, 9a. Requires -y.
    -m                      Yubikey management key. PIN not supported. Must use full management key. Requires -y.
    -t <template name>      Name of the template to use when signing the certificate. Common template names include User or Machine.
    -v                      Verbose output