/etc/ssl/openssl.cnf should have the below by default on Fedora at least, but on MacOS it doesn’t and has to be added.

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

Also, append:

x509_extensions = v3_ca

To the end of [ req ].