diff --git a/lib/pki.nix b/lib/pki.nix
index a760361..3e5c06c 100644
--- a/lib/pki.nix
+++ b/lib/pki.nix
@@ -21,38 +21,32 @@ let
   }
   '';
 
-  gencsr = args: pkgs.writeText "${args.name}-csr.json" ''
-    {
-      "CN": "${args.cn}",
-      "hosts": [ ${args.hosts} ],
-      "key": {
-          "algo": "rsa",
-          "size": 2048
-      },
-      "names": [
-          {
-            "O": "${args.o}"
-          }
-      ]
-    }
-  '';
+  csr = o: {
+    key = {
+      algo = "rsa";
+      size = 2048;
+    };
+    names = [
+      {
+        CN = "kubernetes-cluster-ca";
+        O = "${o}";
+        OU = "services.kubernetes.pki.caSpec";
+        L = "generated";
+      }
+    ];
+  };
+
+  gencsr = args: pkgs.writeText "${args.name}-csr.json" (builtins.toJSON {
+      CN = "${args.cn}";
+      hosts = [ "${args.hosts}" ];
+    } // csr args.o
+  );
 
   initca' =
     let
-      ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON {
-          key = {
-              algo = "rsa";
-              size = 2048;
-          };
-          names = [
-            {
-              CN = "kubernetes-cluster-ca";
-              O = "NixOS";
-              OU = "services.kubernetes.pki.caSpec";
-              L = "generated";
-            }
-          ];
-        });
+      ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (
+        builtins.toJSON (csr "NixOS")
+      );
     in
       pkgs.runCommand "initca" {
         buildInputs = [ pkgs.cfssl ];
@@ -104,17 +98,6 @@ let
         o = name;
       };
     };
-
-  # certToSet = cert:
-  #   {
-  #     key = "${cert}/cert-key.pem";
-  #     cert = "${cert}/cert.pem";
-  #   };
-
-  # builtins.foldl'
-  #   (a: x: a // { ${x} = (certificates.${x}); })
-  #   { inherit ca; }
-  #   (builtins.attrNames certificates)
 in
 {
     inherit ca;