Cross-certification in Windows is done via certreq.exe tool:
certreq -policy <policy.inf> <certtocrosssign.cer> <outreq.csr>
where <policy.inf> is INF file that defines cross-certificate contents and constratints. <certtocrosssign.cer> is a path to a certificate file you are cross-signing. And the last parameter <outreq.csr> is the path to cross-certificate request. Before executing the command, make sure that you have a certificate with Qualified Subordination (1.3.6.1.4.1.311.10.3.10) EKU. This key is used to sign request.
When I simply sign the public key with the cross-certificate in OpenSSL, the cross-certificate is presented as the root certificate.
no, cross-certificate is not root certificate (Subject and Issuer doesn't match). Issuer is the CA used to sign the request and Subject is the subject of CA you are certifying.
For more details, please refer to Microsoft whitepaper on cross-certification. Unfortunately, Microsoft removed it from their servers and you can get a copy from non-Microsoft web sites. For example, a copy downloadable from my personal weblog: 34 PKI & ADCS Whitepapers You Must Read. The document is called [Win2k3] Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003.
