Correct me if I am wrong but if there was a problem with the cert of the Root CA clients wouldn't install any updates signed with any cert generated by the Root CA.
The fact that I can get it all to work just by telling Package Publisher to ignore Cert Errors suggests that the cert itself is fine but rather something in the detection mechanism just doesn't like it.
I suspect the "Key Usage" Extension
The Self-Signed cert does not have a "Key Usage" extension.
Both keys have an "Enhanced Key Usage" Extension with a value of "Code Signing (1.3.6.1.5.5.7.3.3)" but the Root CA Generated key also has "Key Usage" with a value of "Digital Signature (80)" that by default is critical (unchecking critical doesn't help). This should not be a problem unless the detection method is looking for "Code Signing" in the "Key Usage" extension rather than "Enhanced Key Usage".
The fact that I can get it all to work just by telling Package Publisher to ignore Cert Errors suggests that the cert itself is fine but rather something in the detection mechanism just doesn't like it.
I suspect the "Key Usage" Extension
The Self-Signed cert does not have a "Key Usage" extension.
Both keys have an "Enhanced Key Usage" Extension with a value of "Code Signing (1.3.6.1.5.5.7.3.3)" but the Root CA Generated key also has "Key Usage" with a value of "Digital Signature (80)" that by default is critical (unchecking critical doesn't help). This should not be a problem unless the detection method is looking for "Code Signing" in the "Key Usage" extension rather than "Enhanced Key Usage".