Solved. Thanks dbasic.
On the CA's system where the signing activity takes place, make a copy of /etc/ssl/openssl.conf and modify it and create a new config file. Use that modified-copy when signing.
cp /etc/ssl/openssl.cnf ./openssl-for-signing-csrs.cnf
And modify the 'countryName', stateOrProvinceName or 'organizationName' to 'supplied'. This indicates that the certificate should use the values from the CSRs and do not attempt to match with the certificate (one would attempt to 'match' only for self-signing, the default openssl.cnf seems to have been made for self-signing and not for a CA)
80,82c80,82
< countryName = match
< stateOrProvinceName = match
< organizationName = match
---
> countryName = supplied
> stateOrProvinceName = supplied
> organizationName = supplied