I sent my last message a bit too hastily. Other ideas that I was
contemplating should have been mentioned including:
- remove any unrecognized extensions
- remove tumors
Those could potentially cause problems if for some reason they were
actually needed. This one, though, shouldn't cause trouble:
- add a private EKU with a random number (or two) in the OID
That would not mess up the serial number scheme in use or modify the
subject name as has been suggested.
There is a simple fix -- a CA can just reorder the extensions prior
to issuing a certificate.