Is there a reason why generating a root CA with `openssl req …` (with no -x509) followed by `openssl x509 …` doesn’t copy/preserve extensions?

Is there a reason for not copying certificate signing request’s (CSR) extensions over to certificate when creating a root CA the following way?

openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext ‘basicConstraints… Continue reading Is there a reason why generating a root CA with `openssl req …` (with no -x509) followed by `openssl x509 …` doesn’t copy/preserve extensions?