To answer my own question:
Yes, there is a flag on the openssl ca command that will preserve the order of fields in the subject DN:
-preserveDN Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll.
So, this solves the immediate problem.
However, in the long run it would be better if the AWS Private CA put the subject DN fields in the more usual order of C=,ST=,O=,OU=,CN= This is supposed to represent a descent into an X.500 directory tree, and the order of C=,O=,OU=,ST=,CN=,L= is just bizarre.
Also note that the openssl ca man page specifically indicates that this option was created for a really old IE quirk, and is no longer needed. The OpenSSL/LibreSSL devs may remove this option and then we'd be stuck again. We could re-order the fields in the openssl.conf file, but this seems to be overkill for a single oddball case.
Workspaces with trusted device by AWS Private CAAccepted Answerasked 2 years ago
Import a self-signed Root CA in ACM PCAAccepted AnswerEXPERTasked 2 years ago
Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSKasked 8 months ago
Error importing signed Private CA cert from external rootasked 2 years ago
Using an Intermediate CA with IAM Roles Anywhereasked 2 months ago
Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?Accepted AnswerEXPERTasked 2 years ago
Signing a CSR using Private CAAccepted Answerasked 2 years ago
Using ACM Private CA as Microsoft enterprise CA serverasked 8 months ago
Correct Root CA for aswIoT mqtt serverAccepted Answerasked 2 years ago
Using Private CA In AWS IoTAccepted Answerasked 2 years ago