Subject Alternative Name in Certificate Signing Request apparently does not survive signing

The following command apparently resolves the issue:

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=IP:1.2.3.4")) \
  -in key.csr -out key.crt

It is the same recipe as for openssl req, but with the two parameters extensions and extfile instead of reqexts and config.

This command was helpful for quickly confirming the desired outcome by printing the relevant section:

openssl x509 -in key.crt -text | grep "Subject Alternative Name" -C 1