Apple MDM Vendor CSR Signing

I hit 'Invalid Certificate Signing Request' when uploading plist to https://identity.apple.com/pushcert/ , and below are steps I used to generate plist :

1. As a vendor, create vendor CSR using KeyChain Access of the MacBook to upload to member centre to generate MDM signing certificate, and export private key from KeyChain Access in p12 format, say vendor.p12
2. Create customer CSR, using Openssl :
   - openssl genrsa -des3 -out customerPrivateKey.pem 2048
   - openssl req -new -key customerPrivateKey.pem -out customer.csr
3. As a vendor, download MDM signing certificate, WWDR intermediate certificate from provisioning portal, and download Apple root certificate from http://www.apple.com/appleca/AppleIncRootCertificate.cer, then use below command to convert these three certs to PEM format one by one which will be read by program as the PushCertCertificateChain :
   - openssl x509 -inform der -in AppleWWDRCA.cer -out chain.pem
4. As a vendor, following sample java code in Mobile Device Management Protocol Reference, I sign the customer.csr with the private key extracted from vendor.p12
5. Using Safari to upload generated plist to https://identity.apple.com/pushcert/ with customer Apple ID

Is there anything wrong with above steps? Please advise. Thanks a lot!