> OpenSSL would ignore the key in a CSR input file.

OpenSSL by default ignores many (/all?) extensions for security. You can still manually add the nameConstraints when signing the CA cert.

https://security.stackexchange.com/a/150175