Making pfx from certificates with openssl giving "No certificates matches private key"

Question

I am unable to work out what is going wrong with this;

$ openssl genrsa -out sign.key 4096
$ openssl req -x509 -new -nodes -key sign.key -sha256 -days 1825 -out sign.pem
...
$ openssl pkcs12 -export -out sign.pfx -inkey sign.key -in sign.pem
Enter Export Password:
Verifying - Enter Export Password:
$ openssl genrsa -out cert.key 4096
$ openssl req -new -sha256 -key cert.key -out cert.csr
$ openssl x509 -in cert.csr -out cert.pem -req -signkey sign.key -days 1001
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.pem
No certificate matches private key
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in sign.pem -in cert.pem
No certificate matches private key
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.pem -certfile sign.pem
No certificate matches private key
$ cat sign.pem cert.pem > bundle.pem
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in sign.pem -certfile bundle.pem
No certificate matches private key
$ cat cert.pem sign.pem > bundle.pem
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in sign.pem -certfile bundle.pem
No certificate matches private key

I've tried doing this on both windows in git bash and on a linux VM, same result.

Answer 1

Turns out you cannot just sign a certificate like this and expect it to work, I had to properly sign using ca;

$ openssl ca -config openssl.cnf -in cert.csr -out cert.pem
$ openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.pem
Enter Export Password:
Verifying - Enter Export Password:

I just grabbed this openssl.cnf file to test with: https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html