I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am
trying to have that act as the parent to subordinate Windows online
enterprise CAs.

The installation went fine. I signed the Windows subordinate CA cert
request with SSL, then converted it to pkcs12 to be installed. That's
where I get the problem. When I try to installed the pkcs12 cert on the
Windows machine, it doesn't like it, giving me an "ASN1 unexpected end
of data".

I suspect that possibly it is because it isn't seeing the private key
when OpenSSL converts to pkcs12. I was actually only able to get the
..pem -> .p12 conversion to work by using the -nokeys option.

So let me walk you through each step.

1. Received Windows CA generated request file (.der).
2. Signed it using "ca -config blahblah/openssl.cnf -in
windowsreqfile.der -out newcert.pem"
3. Converted it using "pkcs12 -export -in newcert.pem -out
newercert.p12 -nokeys"

So as I said I could only get the conversion command to work using the
nokeys option. If I didn't, it would error out on me saying "unable to
load private key". This tells me I may have missed a step in the
signing process, but I'm unsure what exactly. Do I need to execute
another command after step 2 to output a separate private key file?
Shouldn't the private key be included in the .pem file in step 2?