That's correct, at least in standalone mode.
Correct, if you don't use port 443, you can continue to use standalone.
I was able to verify that Go's x509 library (which is what the CA server uses) chokes on this particular CSR: Go Playground - The Go Programming Language
I had a bit of a déjà vu while doing this and eventually found this thread, where someone else was experiencing the same problem with a CSR generated by unifi:
Unfortunately, it doesn't look like a solution was posted. There's either an issue in unifi that produces invalid CSRs, or Go's ASN.1 parser has a bug. I tried to find the problem using various ASN.1 parsers, but couldn't find anything. Perhaps someone with more of an understanding of ASN.1 will find the problem.
@allrik: Did you ever find a solution for this? Thanks!