Create a self-signed CA in openssl in two commands, `openssl req` (with no -x509) and `openssl x509` while preserving extensions from CSR?

Related question:
Missing X509 extensions with an openssl-generated certificate

I know other methods exist (i.e the openssl req -x509 ...), but specifically for using two separate commands

  1. openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext 'basicConstraints=critical,CA:true' -addext 'keyUsage=critical,keyCertSign'
  2. openssl x509 -req -in ca.csr.pem -signkey ca.key.pem -out ca.crt.pem

to create a CA. Is there really no way to preserve the extensions from the CSR?