The problem openssl has is with the intermediate signing certificate's extendedKeyUsage. openssl wants codeSigning (1.3.6.1.5.5.7.3.3) or emailProtection (1.3.6.1.5.5.7.3.4).
The certificate actually has msCTLSign ("Microsoft Trust List Signing",
1.3.6.1.4.1.311.10.3.1) for some reason. The only use for this EKU appears
to be certificate list updates.
