If you are pulling in external tools, it may make sense to use an external tool like openssl to generate the keypair and CSR with that tool instead of using the switch.
Benefit is that you can probably create the multiple keypairs and CSRs in a single run, instead of needing to generate those on each switch. When you have the certificates signed, you can upload them with the key to the switch. An exception could be if you require the key to be generated and never leave the switch. On the other hand, if you run the process externally, you have a backup of the key material.
It is a matter of personal preference though.
For larger deployments, you may have a look if EST (Enrollment over Secure Transport) may be a better way to get certificates on your switches.