I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to generate the SSL certificate (version 3) and sign it by my private key . Here is the way I tried to do that. But when I export into keychain (Mac OS X). I have been getting error like this "This certificate has an invalid issuer keychain". No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA. Also added DigiCert High Assurance CA-3, DigiCert High Assurance EV Root CA into keychain. It shows my_cert.crt is valid. How would be getting this kind of error.
######### Initialization
SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=wso2/OU=laptop/CN=mdm.go.com"
########SSL Certificate
echo "\nGenerating SSL Certificate >>>>>> START"
openssl genrsa -out ia.key 4096
openssl req -new -key ia.key -out ia.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ia.csr -CA my_cert.pem -CAkey my_ca.pem -set_serial 765644787 -out ia.crt -extensions v3_ca -extfile ./openssl.cnf
echo "\nGenerating SSL Certificate >>>>>> END \n"
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -CAfile my_cert.pem -name sslcert -passout pass:password
Note: added custom entry in /etc/hosts mapping IP address to SSL certificate CN and for testing server and client are in the same machine.
Normally all X.509 certificates in certificate chain except the last one are CA certificates. The first certificate in chain is called root CA (in your case DigiCert High Assurance EV Root CA), then other CA certificates in issuer chain (if any) are intermediate CAs and the last one is End Entity (not CA). I don't think you can issue new SSL certificate issued by non-CA certificate. So you can use my_cert.crt signed by DigiCert as SSL certificate but you cannot issue your own using my_ca.key.