

Here's the rest in another comment because of 1000 character limit:
-CertStoreLocation Cert:\CurrentUser\My `
-NotAfter (Get-Date).AddYears(3) `
-KeyUsage ([Microsoft.CertificateServices.Commands.KeyUsage])::DigitalSignature `
-KeyUsageProperty ([Microsoft.CertificateServices.Commands.KeyUsageProperty]::All) `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.19={critical}{text}ca=FALSE")
$IssuedToClean = $IssuedTo.Replace(":", "-").Replace(" ", "_")
$FileSpec = "<path goes here>" + $IssuedToClean + "_wdp.pfx"
$certFile = Export-PfxCertificate -cert $cert -ChainOption EndEntityCertOnly -FilePath $FileSpec -Password (ConvertTo-SecureString -String $Password -Force -AsPlainText)
}
Here's update script to make my certs attributes match those generated by WebManagement service.
$IssuedToList = "localhost","W10-02","::1","127.0.0.1","192.168.254.18","fe80::e048:dd41:b861:9505"
$Password = "LetMeIn"
$rootCA = Get-ChildItem -Path Cert:\CurrentUser\my\26ebffe81b6b46a0c6c8e9bcf98f33a5d5f85494
foreach($IssuedTo in $IssuedToList) {
$Subject = "CN=" + $IssuedTo
$cert = New-SelfSignedCertificate -Type ([Microsoft.CertificateServices.Commands.CertificateType]::SSLServerAuthentication)
-Subject $Subject -DnsName $IssuedTo
-FriendlyName ("WDP-" + $IssuedTo) -Signer $rootCA
-KeyAlgorithm 'RSA' -KeyExportPolicy ([Microsoft.CertificateServices.Commands.KeyExportPolicy]::Exportable)
-HashAlgorithm ([System.Security.Cryptography.HashAlgorithmName]::SHA512) `
The certificates generated by this updated script did not resolve the issue - same issues as described in original post.
5 people are following this question.