Hi @oborseth, this is intentional because the Let’s Encrypt CA has no way of verifying the correctness of that information. In principle, CAs should only include information in a certificate that the CAs were able to verify and regard as correct. Since I could make a CSR with, say,
O = Google Inc, L = Mountain View, ST = California, C = US, although I don’t work for Google and never have, it would not be ideal for Let’s Encrypt to then issue a cert with those fields in the X.509 data – they would be fraudulent and users could be confused if they thought that they were somehow accurate and verified.
Therefore, Let’s Encrypt uses the CSR only for the subject public key and for the list of subject names. (There are or will be minor exceptions in the future related to policy fields in the certificate that can be set at the option of the subscriber, but nothing related to the subscriber’s identity, since Let’s Encrypt simply can’t verify any of these things other than domain control.)