I had seen situations where certs had to be added from IIS (or they would not work properly or stop working randomly) and although that fix did include them to be added from IIS, they involved web services and revolved around the exact same PFX file. This seems to be a bit different; in that even though you aren’t using IIS web services and both CSR processes completed properly, only the IIS added cert was useable.
So the takeaway from this event is:
When using certs in IIS:
Create CSR within IIS,
process CSR normally at zerossl.com,
completed the cert process with IIS
results with
a working LE cert for IIS.
And a more comprehensive understanding now tends me to think that: When using certs with IIS = You must use only IIS to process the certs.
Only because it wasn't mentioned in this thread to complete it with an possible direct solution:
Was an openssl migration done from generated LetsEncrypt Key/Cert/Chain to PXF file