diff --git a/pki/openssl.cnf b/pki/openssl.cnf
index 0e764bf16..f32bde23b 100644
--- a/pki/openssl.cnf
+++ b/pki/openssl.cnf
@@ -194,6 +194,8 @@ nsComment			= "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=clientAuth,serverAuth
+keyUsage=digitalSignature
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.