There is nothing against sending the CertMaker folder along with your application and having your clients do the work. The only trouble would be the user security options at the client's system blocking execution of batch files. But some users seize when they see a DOS window...
A web form done right, from the perspective of the user, is much simpler and easier to use. You could also create an executable that does the same thing as the batch file, but then you're reinventing the wheel. It wouldn't be tough since you can provide all the required values to the openssl.exe as command line options, instead of running openssl.exe in the interactive mode you're probably used to.
While you're at it, you could create a web form to accept the CSR and return a signed certificate using your own CA so your users can test their settings before flushing their money on a real certificate. The danger is some users may try to get by on the certificate you signed, which they will ultimately be unhappy with, instead of a real one.
At the risk of proving my naivety, I suspect you can accomplish the task of a web form approach entirely within NetTalk (with openssl, of course) without the need for OddJob (which I haven't actually tried to use, yet).
If you go the web form route, I would very much like to see what you come up with, as I have contemplated the same approach.
Regards,
Flint