How to generate a CSR (certificate signing request) for creating a limited CA (Certificate Authority) with LibreSSL?

Related to this (too broad) question: How to implement my PKI?

I have a self-signed CA (ca0)

I would like to create a CA (ca1) with limited power derived from that first CA. ca1 should only be able to sign certificates for * and for

From this question, I found out that the Name Constraints extension is probably what I want.

The key for ca1 is already created and is

I already have an incomplete command for creating the request:

libressl req -new -sha512 -key -out 

What should I add to that line to limit ca1’s power to what I want?