shiftstack · stephenfin · Jan 26, 2026
diff --git a/playbooks/roles/simpleca/tasks/main.yaml b/playbooks/roles/simpleca/tasks/main.yaml
@@ -19,7 +19,7 @@
 - name: Run the tasks to create CA cert and key when not provided
  when: ssl_ca_cert is not defined or ssl_ca_key is not defined
  block:
    - name: Create CA key
      community.crypto.openssl_privatekey:
        path: "{{ ca_dir }}/simpleca.key"
      register: ca_key
@@ -31,6 +31,11 @@
         common_name: "simpleca"
         basic_constraints:
           - "CA:TRUE"
+        basic_constraints_critical: true
+        key_usage:
+          - keyCertSign
+          - cRLSign
+        key_usage_critical: true
       register: ca_csr
 
     - name: Sign the CA CSR
@@ -83,6 +88,12 @@
       - "IP:{{ control_plane_ip }}"
       - "IP:{{ hostonly_gateway }}"
       - "IP:{{ hostonly_v6_gateway }}"
+    key_usage:
+      - digitalSignature
+      - keyEncipherment
+    key_usage_critical: true
+    extended_key_usage:
+      - serverAuth
   register: user_csr
 
 - name: Sign the CSR for {{ cert_user }}