I'm not saying no, but
here's an alternative that might work for you: To add to Tunnelblick the ability to "pass through" the --management-external-key commands to a separate-from-Tunnelblick, stand-alone program such as yours. That wouldn't include the key generation / CSR / import sequence that you describe, but it would allow alternatives, such as having keys stored in physical devices or in the Keychain, to be very easily implemented. I think it would be pretty quick and easy for me to add that to Tunnelblick.
It could be implemented in Tunnelblick by having "forced preferences" (a Tunnelblick thing: a preference that can only be set/modified/deleted by a computer administrator) that would be the path to a Unix socket and the path to a read-only-by-root password file, mimicking the arguments to OpenVPN's --management option. Tunnelblick would connect to the socket and send the password, and then send any rsa-sig and/or certificate commands that come from OpenVPN to Tunnelblick to the socket, and the socket's output to Tunnelblick would be passed by Tunnelblick back to OpenVPN. I don't think a user-facing interface in the Tunnelblick GUI would be needed or desired, but that's a separate issue.
Would this work for you? What are your thoughts?
Of course, anyone else is encouraged to chime in, too!