diff --git a/ca.go b/ca.go
index 385c5a5..418cf46 100644
--- a/ca.go
+++ b/ca.go
@@ -412,8 +412,9 @@ func InitCA() error {
 		NotBefore:             now,
 		NotAfter:              now.Add(validity),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		IsCA:                  true,
+		BasicConstraintsValid: true, // This is a CA certificate
+		IsCA:                  true, // This is a CA certificate
+		MaxPathLenZero:        true, // Allow issuing end-entity certificates
 	}
 	// Add email if present
 	if caConfig.Email != "" {
@@ -512,11 +513,13 @@ func issueSingleCertificate(def CertificateDefinition) error {
 	expires := dateIssued.Add(validityDur)
 
 	certTmpl := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject:      subjectPKIX,
-		NotBefore:    dateIssued,
-		NotAfter:     expires,
-		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		SerialNumber:          serialNumber,
+		Subject:               subjectPKIX,
+		NotBefore:             dateIssued,
+		NotAfter:              expires,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		IsCA:                  false,
+		BasicConstraintsValid: true,
 	}
 
 	for _, s := range def.SAN {
@@ -571,11 +574,11 @@ func issueSingleCertificate(def CertificateDefinition) error {
 	if verbose {
 		fmt.Printf(`
 Certificate:
-  Name:     %s
-  Subject:  %s
-  Type:     %s
-  Validity: %s
-  SAN:      %v
+    Name:     %s
+    Subject:  %s
+    Type:     %s
+    Validity: %s
+    SAN:      %v
 `,
 			def.Name,
 			def.Subject,
@@ -584,6 +587,7 @@ Certificate:
 			def.SAN,
 		)
 	}
+
 	caState.UpdateCAStateAfterIssue(
 		caConfig.SerialType,
 		def.Name,
@@ -624,26 +628,26 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose
 
 	// Loop through all certificate definitions
 	// to render templates and fill missing fields from defaults
-	for _, def := range certDefs.Certificates {
+	for i := range certDefs.Certificates {
 		// Fill missing fields from defaults, if provided
-		def.FillDefaultValues(certDefs.Defaults)
+		certDefs.Certificates[i].FillDefaultValues(certDefs.Defaults)
 		// Render templates in the definition using the variables map
 		// with added definition name.
 		variables := certDefs.Variables
 		if variables == nil {
 			variables = make(map[string]string)
 		}
-		variables["Name"] = def.Name
-		err = def.RenderTemplates(variables)
+		variables["Name"] = certDefs.Certificates[i].Name
+		err = certDefs.Certificates[i].RenderTemplates(variables)
 		if err != nil {
-			return fmt.Errorf("failed to render templates for certificate %s: %v", def.Name, err)
+			return fmt.Errorf("failed to render templates for certificate %s: %v", certDefs.Certificates[i].Name, err)
 		}
 	}
 
 	n := len(certDefs.Certificates)
 	// No errors so far, now we can issue certificates
-	for i, def := range certDefs.Certificates {
-		fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, def.Name)
+	for i := range certDefs.Certificates {
+		fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, certDefs.Certificates[i].Name)
 
 		if dryRun {
 			fmt.Printf("(dry run)\n")
@@ -651,7 +655,7 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose
 			continue
 		}
 
-		err = issueSingleCertificate(def)
+		err = issueSingleCertificate(certDefs.Certificates[i])
 		if err != nil {
 			fmt.Printf("error: %v\n", err)
 			errors++