One quick idea. Did you remove old CA certificate from Trusted Root CAs? You have to import new CA certificate into the Trusted Root CAs in Windows. It depends if you installed in your user store or computer store. This may help you: https://www.thesslstore.com/knowledgebase/ssl-install/how-to-import-intermediate-root-certificates-u...

Hi,

To my understanding, it seems not relate to windows certificate manager. It is stored in the keystore/truststore. Attached is the windows trust root ca.

Go to the ca\certs directory and copy ca.cert.pem to ca.cert.crt. Double-click on ca.cert.crt and you should see that it is not trusted. You have to ad it to trusted certificates. I think that you have added previous CA certificate to your personal store not the computer store. Check it too.
 

HI,

I haved added the CA cert into local machine. I can see the generated cert is using new CA cert. However, the cert is still invalid digital signature. Any idea?

But, did you remove the old CA cert from trusted certificates? I think that this is the issue.

Run this command in the directory where you have run.cmd:

openssl verify -CAfile ca\certs\ca.cert.pem certificates\repository.cer

Hi,

Here is result.

certificates/repository.cer: OK