diff --git a/ssl-ca b/ssl-ca
index 2c299930b22d76a86cbd3c22dcf6485cc5c68a4a..3e41fd324fbaccc3ebf689a9cbc5fa03a7a6dce6 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -41,10 +41,11 @@ RANDFILE = /dev/urandom
 CN = \${ENV::cn}
 
 [ v3_ca ]
-basicConstraints = CA:true
+basicConstraints = critical, CA:true
+keyUsage = keyCertSign, cRLSign
 
 [ v3_req ]
-basicConstraints = CA:false
+basicConstraints = critical, CA:false
 subjectAltName = @AltNames
 
 [ AltNames ]