It turns out that producing a certificate-request that Apple will accept in order to authorize you to send notifications to a client’s phone on their behalf is nightmarish, due to the shear lack of information on the subject (Apple provides no documentation).
Behold, csr_to_apns_csr. As long as you have your “MDM vendor certificate” (a P12 certificate that Apple gives you) and the CSR for your client, you’re in business.
$ csr_to_apns_csr -h usage: csr_to_apns_csr [-h] [-x] csr vendor_p12 vendor_p12_pass Produce an Apple-formatted APNS 'push' CSR. positional arguments: csr client CSR (PEM) vendor_p12 MDM vendor P12 certificate (DER) vendor_p12_pass passphrase for MDM vendor P12 certificate optional arguments: -h, --help show this help message and exit -x, --xml show raw XML