Renewing, prolonging self signed Signature certificate

[eumaios]

we are using xca generated signatures for (internally) signing PDF documents since several year. A self signed root certificate was made and a personal certificate for every signing person in 2017. Now the root certificate has expired and all the personal certificates as well. The root was renewed/prolonged and new, prolonged personal certificates were distributed as PKSC12 files.

Now when we are signing PDFs, the signatures are marked as invalid because the root certificate is not valid (the system is referencing the original/expired instead of the prolonged root certificate). Does the PKSC12 (the chain option was chosen) not contain the complete chain of valid certificates (root + individual)?

If I import the root certificate individually to trusted certificates into Windows, the signatures are checked ok - but I cannot directly install/trust the prolonged root certificate. Is this correct or are we doing/understanding something wrongly?

Side question, if the root certificate must be distributed separately: what is the recommended file format for distributing a self signed trusted root certificate?

Many thanks!