First, this is an excellent project. Thank you!

However, it would be nice to have a --subject option in order to have complete control over the common name that is limited by assumptions of --common-name

Example

certstrap init --key-bits=4096 --passphrase "fooo" --common-name "foo, DC = example, DC = com" --exclude-path-length
openssl x509 --text -in out/foo\,_DC_\=_example\,_DC_\=_com.crt | grep "Subject: CN"

returns

Subject: CN = "foo, DC = example, DC = com"

instead of
Subject: CN = foo, DC = example, DC = com

OpenSSL will allow you to do this with

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout a.key -out a.crt -subj "/DC=com/DC=example/CN=foo"

This might be nitty but there are times it is nice to not have certstrap adding quotes or auto prefixing CN

Maybe there is a reason for controlling CN as full control causes more issues with the file auto format. I'm still playing around with it but it would appear init and request-cert seem to create different auto out file formats when using "=" and "," in the CN.