diff --git a/simple-ca.sh b/simple-ca.sh
index 62a5832..cd26b63 100755
--- a/simple-ca.sh
+++ b/simple-ca.sh
@@ -123,7 +123,8 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -text \
-            -addext "basicConstraints=critical,CA:TRUE,pathlen:1"; then
+            -addext "basicConstraints=critical,CA:TRUE,pathlen:1" \
+            -addext "keyUsage=critical,keyCertSign,cRLSign"; then
             echo "ERROR: Failed to generate CA certificate and key." >&2
             return 1
         fi
@@ -146,6 +147,7 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
+            -addext "keyUsage=critical,keyCertSign,cRLSign" \
             ${AIA_BASE_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_BASE_URL}/ca_cert.crt"} \
         | openssl x509 \
             -req \
@@ -301,7 +303,7 @@ function make_cert() {
             -noenc \
             -subj "/CN=${CERT_SUBJECT_NAME}" \
             -addext "basicConstraints=critical,CA:FALSE" \
-            -addext "keyUsage=digitalSignature,keyEncipherment" \
+            -addext "keyUsage=critical,digitalSignature,keyEncipherment" \
             -addext "extendedKeyUsage=serverAuth,clientAuth" \
             -addext "$SANS_EXT" \
             ${AIA_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_URL}"} \