Google says to use signtool
From key and certificate you can build p12 or pfx (it's the same thing)

openssl pkcs12 -export -in input.crt -inkey input.key -out bundle.p12

Well, then follow the description www.hanselman.com/blog/UsingCodeSigningCertificatesToSignDownloadedMSIsAndBuildReputationWithIE9SmartScreen.aspx

Give the result of the command

certutil -verify -urlfetch <файл конечного сертификата в формате PEM>

Missing Issuer: CN=Thawte Code Signing CA — G2, O=«Thawte, Inc.», C=US

You need to add this certificate to the Intermediate certificate store. Your question is "intermediate CA certificate"
Run mmc as administrator, add the certificates snap-in (Add/Remove Snap-In -> Cerificates), then import the certificate CN=Thawte Code Signing CA — G2, O=«Thawte, Inc.», C=USinto the intermediate certificate store and try again.
It also looks like on your computer, where you check the certificate, the Internet is covered, or go through a proxy. For CryptoAPI, which is used by the certutil command, proxy settings are configured separately.

Well, this is nonsense, it has nothing to do with the validity of the certificate. These are settings for the Windows SmartScreen filter, such as notify about infrequently downloaded programs.
It is important that the publisher is visible, there are no complaints about the signature.

Here is how to deal with it .