Mozilla NSS does not accept certificate with "PKCS #1 SHA-256 With RSA Encryption" signature

Question

On Centos 7.2 NSS certutil and other tools using NSS libraries reject my certificate with the message certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.

I have created my own root certificate and intermediate certificate using OpenSSL 0.9.8zh on Mac OS X. All private keys are 4096 bit RSA and message digest is SHA256. The configuration for certificate authority is mostly copied from here: https://jamielinux.com/docs/openssl-certificate-authority/

Then I created private key for the server using certutil on Centos and signed it using the intermediate ca again on OS X. I imported the server certificate, intermediate certificate and root certificate to the server using certutil.

Now certutil correctly shows the certificate:

# certutil -d . -L -n server-cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "Redacted"
        Validity:
            Not Before: Tue Aug 09 06:23:57 2016
            Not After : Wed Aug 09 06:23:57 2017
        Subject: "CN=ldap-qa1.example.com,OU=redacted"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c6:14:ae:37:fe:48:70:58:0c:29:c1:dc:97:0d:4d:b5:
                    e0:d4:04:4a:31:43:ae:c9:81:b9:e4:6a:e5:cf:c3:dc:
                    f5:f2:79:ef:85:3e:20:cc:ac:0c:31:85:3f:b2:05:ab:
                    01:82:ea:66:de:1f:62:68:de:59:f2:73:ff:ea:1b:95:
                    8c:7a:24:a6:1b:4d:87:45:95:cc:72:0d:d1:6c:8b:f6:
                    63:6d:24:43:f0:a9:12:1d:4a:b6:3b:f1:0e:7f:c7:e8:
                    90:e4:0e:08:77:a2:dc:9c:1a:53:2e:e0:74:0b:42:6d:
                    79:da:2d:2b:de:8b:91:8d:51:fb:f4:f7:8d:83:4d:07:
                    e3:ff:4b:22:1d:4f:7f:0b:80:cf:92:1a:3a:64:e3:a4:
                    f0:b3:fc:fc:0d:ac:87:83:0c:ed:7f:74:6f:fb:b5:53:
                    8e:39:de:2c:69:74:68:d9:15:59:f7:5e:6b:50:8a:b8:
                    72:52:d5:e0:3e:be:e6:2a:32:a7:14:a7:e0:07:06:5b:
                    1c:f0:86:3b:66:0b:2e:c2:9b:d8:f0:c3:e4:78:ab:a0:
                    2d:00:12:d3:60:4c:5e:0d:e1:5c:16:37:e8:f8:26:3b:
                    9c:72:34:42:ca:99:36:6b:57:c9:9b:89:98:b9:61:ae:
                    d3:da:ff:a4:d1:be:58:34:bc:52:99:fb:6a:2d:9a:03:
                    4d:01:80:b7:98:04:ff:a7:c3:3a:47:99:e0:2a:72:ae:
                    1a:a3:59:54:70:3d:09:eb:0c:d4:22:36:c2:fd:bf:dd:
                    0e:01:62:9c:30:64:f9:b1:ed:bb:83:49:4e:f7:03:85:
                    57:27:e5:7c:3d:aa:a4:d4:3e:3d:ce:5f:c0:9a:a5:6c:
                    52:03:21:7a:69:b0:e7:49:e9:ae:6d:8a:82:f7:ca:3a:
                    bd:65:fa:63:de:3c:7e:aa:23:4b:e1:c8:a5:e6:a5:28:
                    0b:f1:31:04:9b:5a:ea:a3:52:73:e5:78:34:61:35:4f:
                    a5:5e:2b:18:df:eb:a5:de:da:f3:f9:c4:04:c1:68:e7:
                    42:71:ca:79:3a:2a:a6:7d:d4:62:88:e6:12:29:05:8e:
                    39:b5:50:90:8d:6d:d1:8c:66:33:0e:e8:1a:33:e6:fb:
                    bd:6a:0f:14:c8:7a:de:4d:06:a2:f9:1a:3d:e1:65:87:
                    ed:0c:e3:b9:62:d4:46:94:d6:75:75:f3:f8:f4:76:7f:
                    23:55:4c:70:a9:ba:d8:46:71:78:72:c4:cd:36:60:3d:
                    ee:2e:f0:f9:8c:e4:4b:24:7d:07:25:3d:6d:f1:1d:9c:
                    f8:40:ea:cf:3d:bd:53:d8:db:bd:fe:50:7a:76:52:2f:
                    04:d2:b7:71:bb:96:27:5c:7a:6d:f1:7f:08:2c:77:2f
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Type
            Data: <SSL Server>

            Name: Certificate Comment
            Comment: "OpenSSL Generated Server Certificate"

            Name: Certificate Subject Key ID
            Data:
                a9:c0:d6:bd:65:e5:1e:c3:d5:78:ed:e7:9d:2e:d6:0f:
                1f:07:d7:31

            Name: Certificate Authority Key Identifier
            Key ID:
                96:ed:bb:e3:7f:9c:b9:7e:dd:41:75:ce:46:83:99:4b:
                82:38:1c:f8
            Issuer: 
                Directory Name: "redacted"
            Serial Number: 4096 (0x1000)

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        24:5d:32:73:ce:da:94:57:30:86:43:de:c4:71:5b:dd:
        f8:c6:e1:62:d9:48:da:eb:e7:38:95:57:f2:24:5a:15:
        c1:cf:19:a8:a7:c1:02:93:9b:f5:df:c6:a1:65:42:64:
        70:f3:43:bb:6e:be:a5:e3:7a:26:2f:42:82:ba:bc:a4
    Fingerprint (SHA-256):
        00:88:D1:EC:4D:E0:2F:22:53:76:6C:69:82:1C:8F:59:87:A5:E7:C3:C8:7B:04:ED:63:B4:2A:E3:73:BD:B3:BB
    Fingerprint (SHA1):
        2B:0B:D1:8E:C0:CB:9B:D2:29:EC:E4:C2:03:97:2B:AF:2C:9E:E9:51

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

But trying to validate the certificate fails:

# certutil -d . -V -n server-cert -u V -e 
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.

Validating both the intermediate and root certificate works as expected.

The version of nss is nss-3.21.0-9.el7_2.x86_64

Can you spot something incorrect in the certificate, or could this be a bug in nss?

EDIT: Apparently the certificate was not correctly created. Creating it again with different parameters and a different tool solved the issue.