It turns out that producing a certificate-request that Apple will accept in order to authorize you to send notifications to a client’s phone on their behalf is nightmarish, due to the shear lack of information on the subject (Apple provides no documentation).

Behold, csr_to_apns_csr. As long as you have your “MDM vendor certificate” (a P12 certificate that Apple gives you) and the CSR for your client, you’re in business.

$ csr_to_apns_csr -h
usage: csr_to_apns_csr [-h] [-x] csr vendor_p12 vendor_p12_pass

Produce an Apple-formatted APNS 'push' CSR.

positional arguments:
  csr              client CSR (PEM)
  vendor_p12       MDM vendor P12 certificate (DER)
  vendor_p12_pass  passphrase for MDM vendor P12 certificate

optional arguments:
  -h, --help       show this help message and exit
  -x, --xml        show raw XML