damn, this process almost kills the joy of developing software
Although more expensive, Digicert is way less cruel.
I remember you saying kSign works too with your Digicert certs. It may look like it is working but do check if it is also timestamped. They only seem to do this with their own kSoftware certs.
If you codesign without timestamp, your downloaded file will show a blue screen (not red) BUT when your certs expires, it start to show the red screen/warning. Which is something you do not want.