Verified that certificate policy field was added to the certificate with OID. This needs to be matching on all CAs in hierarchy.
To remove Digital signature form KeyUsage filed of certificate, configure registry using following commands on Root CA:
- certutil -setreg Policy\EditFlags -EDITF_ADDOLDKEYUSAGE
- net stop certsvc
- net start certsvc