client certificate authentication not working with chrome and apache2 server

I am attempting to use client certificates to limit secure access to an apache2 web server. However after installation google chrome returns a ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED error.

First I set up the CA for the Web Server by creating a CA key and an X509 PEM file:

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

I already have an existing certificate for the web site set in apache2 for https communication allocated by a trusted third party. The following is the apache2 conf setting for this website where I have included SSLCACertificateFile for the certificate generated above, the SSLOptions, SSLVerifyClient and SSLVerfiyDepth directives:

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName site.aname.com
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html/site
                <Directory /var/www/html/site>
                        Options FollowSymLinks
                        AllowOverride All
                        Require all granted
                        SSLOptions +StdEnvVars
                        SSLVerifyClient require
                        SSLVerifyDepth 1
                </Directory>
                LogLevel debug
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLCACertificateFile /etc/apache2/ssl/site/CA.pem
                SSLCertificateFile /etc/apache2/ssl/site/fullchain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/site/privkey.pem
                Include /etc/apache2/ssl/site/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

This completes the web server configuration and test without a client certificate and get the expected error.

I then generate a client certificate and sign with the CA and then package in pkcs12 with private key with the following:

GENERATE:

openssl genrsa -out user.key 2028
openssl req -new -key user.key -out user.csr

SIGN WITH:

openssl x509 -sha256 -req -in user.csr -out user.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095

CREATE PKCS12:

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt

The resultant user.pfx is then installed on the user machines running chrome.

When attempting to connect, chrome asks for the key which is selected with the result being the error ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.

Version of Chrome running under Windows 10 is: Version 74.0.3729.169 (Official Build) (64-bit)

Update: I can connect successfully with curl from another linux server using:

curl --cert user.crt --key user.key --pass password https://site.aname.com/

however, the same from windows 10 command line results in: curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80090027) - The parameter is incorrect

Solved by ensuring that the signed user certificate was a "version 3" X.509 certificate and specifying both Key Usage and Enhanced Key Usage attributes within the v3 extension. This was achieved my modifying the openssl.conf file for the X509 sign request or if you use the openssl CA command.