It looks like there are two possible values for the PEM header in CSRs.

Certstrap currently expects the new style (used by OpenSSL) of "CERTIFICATE REQUEST".

The Microsoft certreq tool generates certificate requests with the old style "NEW CERTIFICATE REQUEST" (see https://stackoverflow.com/questions/28628744/is-there-a-spec-for-csr-begin-headers for a discussion of this).

Would it be possible for certstrap to support the style used by certreq so these do not need to be modified prior to use?

Sure. Pull requests are welcome. We don't have any Windows machines at Square so I wouldn't be able to test it, but if you want to contribute a patch we'll be happy to accept it. Or if you can post an example Microsoft CSR here, I can take a look at it.

I do - I'll generate some tests in a few hours.