diff --git a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
index ba91c5ba2..db3cb702d 100644
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@@ -156,6 +156,13 @@ commonName_max			= 64
 
 #unstructuredName		= An optional company name
 
+[ server ]
+basicConstraints=CA:FALSE
+nsCertType			= server, client, objsign
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
 [ usr_cert ]
 
 # These extensions are added when 'ca' signs a request.
@@ -178,13 +185,13 @@ basicConstraints=CA:FALSE
 # nsCertType = client, email
 
 # and for everything including object signing:
-# nsCertType = client, email, objsign
+nsCertType = client, email, objsign
 
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "OpenSSL Generated Client Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -235,10 +242,10 @@ basicConstraints = CA:true
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 
 # Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA
 
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
diff --git a/xCAT-server/share/xcat/scripts/setup-local-client.sh b/xCAT-server/share/xcat/scripts/setup-local-client.sh
index b0e650422..5e8a3b7a8 100755
--- a/xCAT-server/share/xcat/scripts/setup-local-client.sh
+++ b/xCAT-server/share/xcat/scripts/setup-local-client.sh
@@ -51,7 +51,7 @@ done
 mkdir -p $USERHOME/.xcat
 cd $USERHOME/.xcat
 openssl genrsa -out client-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_crt -subj "/CN=$CNA"
 cp client-req.pem  $XCATDIR/ca/root.csr
 cd -
 cd $XCATDIR/ca
diff --git a/xCAT-server/share/xcat/scripts/setup-server-cert.sh b/xCAT-server/share/xcat/scripts/setup-server-cert.sh
index 20ff1a304..89a7c7295 100755
--- a/xCAT-server/share/xcat/scripts/setup-server-cert.sh
+++ b/xCAT-server/share/xcat/scripts/setup-server-cert.sh
@@ -23,7 +23,7 @@ fi
 mkdir -p $XCATDIR/cert
 cd $XCATDIR/cert
 openssl genrsa -out server-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -extensions server -subj "/CN=$CNA"
 cp server-req.pem  $XCATDIR/ca/`hostname`.csr
 cd -
 cd $XCATDIR/ca
@@ -33,7 +33,7 @@ cd $XCATDIR/ca
 #   - call cmds directly instead - seems safe
 # make sign
 
-openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert
+openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert -extensions server
 if [ -f `hostname`.cert ]; then
     rm `hostname`.csr
 fi
diff --git a/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh b/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh
index fea1b4203..9f2d9f4a6 100755
--- a/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh
+++ b/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh
@@ -30,5 +30,5 @@ sed -e "s@##XCATCADIR##@$XCATCADIR@" $XCATROOT/share/xcat/ca/openssl.cnf.tmpl >
 cp $XCATROOT/share/xcat/ca/Makefile $XCATCADIR/
 cd $XCATCADIR
 make init
-openssl req -nodes -config openssl.cnf -days 2650 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM -subj /CN="$CNA"
+openssl req -nodes -config openssl.cnf -days 7300 -x509 -newkey rsa:2048 -out ca-cert.pem -extensions v3_ca -outform PEM -subj /CN="$CNA"
 cd -