Trouble generating a p12 certificate for wallet signing

I've been trying to replace an expired p12 certificate which is used for signing AppleWallet passes in PHP.

The problem I'm having is nothing to do with the PHP end of things but getting and exporting the certificates as P12.

Here are the steps I have taken, along with the original url for the instructions for each step

1. create a csr (see https://help.apple.com/developer-account/#/devbfa00fef7)

• Launch Keychain Access located in /Applications/Utilities.

• Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

• In the Certificate Assistant dialog, enter an email address in the User Email Address field.

• In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key).

• Leave the CA Email Address field empty.

• Choose “Saved to disk”, and click Continue.

2. Go to Apple Developer portal and under Certificates, Identifiers & Profiles create an Identifier

• In Certificates, Identifiers & Profiles, select Identifiers.

• Under Identifiers, select Pass Type IDs.

• Click the plus (+) button.

• Enter the description and pass type identifier, and click Submit.

note: I first tried the existing identifier from the previous certificate. That didn't work so I deleted it and created a new one.

3. Create the Certificate
   (see https://developer.apple.com/library/archive/documentation/UserExperience/Conceptual/PassKit_PG/YourFirst.html)

• In Certificates, Identifiers & Profiles, select Identifiers.

• Under Identifiers, select Pass Type IDs.

• Select the pass type identifier, then click Edit.

• click the Create Certificate button, then follow the instructions to create a pass signing certificate.

4. Download that certificate and the double click it to import into my Key Chain

When I import it, it appears as just a single certificate and not a group like the previous one, so I cannot then export it as a .p12. See attached screen shot where top cert is the new single cert and second cert is the expired group of certs.

Where am I going wrong that the imported certificate does not contain the self signed certificate that I uploaded as part of the creation in step 3)

• I have tried using variations of different common names and leaving the cert name blank in step 3?

Another thing I noticed in Keychain Access is that the new cert doesn't appear under the "My Certificates" group, only under the "Certificates" group, so it almost looks like my identity is screwed. I did just upgrade to Catalina!