An option to generate a private key and a certificate request to be sent to the system adim for signing would be nice. When sysadmin have signed the CSR, another option to import the signed certificate (maybe with config file with correct certificate configuration) and creating a connection based on it would also be good.
With this option, one could arrange a secure vpn connection remotely, ie the client computer/user would not need to visit the IT facility. No unsafe usernames/passwords would be needed.
Of course, an option to generate the key on a smart card would be even better.
In my setup I used the Windows Crypto API to provide certificates: all computers are domain members and certificates are pushed via group policy. This reduced administrative efforts quite a bit!
For the GUI to support CSR generation, it will probably require SSL libraries to be present, as well as some templates, etc. Looks like a lot of work, yet quite a nice feature as a result! Probably that can be done in a separate app, even a simple batch script that invokes OpenSSL should be enough! You don't generate CSR that often after all, nothing fancy required. Hence the CSR generation step can even be included in the NSIS installer!