The -KeyUsage parameter indicates the default as None. Later the help indicates thus:
The default value, None, indicates that this cmdlet does not include the KeyUsage extension in the new certificate.
Even if I specify -KeyUsage None, the new certificate has a "Key Usage" extension in the cert with values of "Digital Signature" & "Key Encipherment" regardless. I've also tried specifying None on -KeySpec and -KeyUsageProperty and various combinations, with the same results. You can, however, specify different values for -KeyUsage and it will change to those values, but those will also get the yellow warning sign and propagate to the newly minted certs
After creating a certificate that way as a Root CA, the certificates created and signed with that RootCA inherit the problem.
Here is some code that will demonstrate the difference between the output of MakeCert.exe and New-SelfSignedCertficate:
##MAKECERT example
$RootCA = "Hyper-V Replication Certificate Authority"
$ReplicaServer = "MyServerName-01"
##Create root cert
.\makecert.exe -pe -n "CN=$RootCA" -ss root -sr LocalMachine -sky signature -r ".$RootCA.cer"
##Create new cert using rootCA
.\makecert.exe -pe -n "CN=$ReplicaServer" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "$RootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Generates a cert with no issues:
##New-SelfSignedCertificate example
##Create Root Cert
$RootCA = "Hyper-V Replication Certificate Authority"
$ReplicaServer = "MyServerName-01"
$Cert = New-SelfSignedCertificate -Type Custom
-KeyExportPolicy Exportable -Subject "CN=$RootCA"
-KeySpec Signature -KeyUsage "None"
-KeyUsageProperty All -CertStoreLocation Cert:\LocalMachine\My
-NotAfter (Get-Date -Date "12/31/2039 18:59:59")
##Note the above certificate would need to be moved to the Root store to be a valid root certificate in the chain. But the example I'm trying to show is evident without doing that.
##Create new cert from RootCA
New-SelfSignedCertificate -Type Custom
-Subject "CN=$ReplicaServer" -KeySpec KeyExchange
-CertStoreLocation Cert:\LocalMachine\My -KeyExportPolicy Exportable
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\$($Cert.Thumbprint)"
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-NotAfter (Get-Date -Date "12/31/2039 18:59:59")
Generates a cert with a warning icon on the "Key Usage" extension: