diff --git a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
index db3cb702d..ee26a53eb 100644
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@@ -162,6 +162,8 @@ nsCertType			= server, client, objsign
 nsComment			= "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
+keyUsage = digiatalSignature,KeyAgreement
+extendedKeyUsage = serverAuth
 
 [ usr_cert ]
 
@@ -171,6 +173,8 @@ authorityKeyIdentifier=keyid,issuer
 # requires this to avoid interpreting an end user certificate as a CA.
 
 basicConstraints=CA:FALSE
+keyUsage = digiatalSignature,KeyAgreement
+extendedKeyUsage = clientAuth
 
 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.