step-cli ca sign lets a user sign an existing CSR using the CA. The overall process and syntax is very similar to step-cli ca certificate, so it should be possible to use a CSR as an alternative source in step_ca_certificate.
This would require only a csr parameter that, when provided, switches the command to sign instead certificate. In addition, the key file parameter would need to become optional.

Wait this feature.