diff --git a/keygen/openssl.conf b/keygen/openssl.conf
index 79b1dfb4..09db6c25 100644
--- a/keygen/openssl.conf
+++ b/keygen/openssl.conf
@@ -1,4 +1,36 @@
 [req]
 distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
 
 [req_distinguished_name]
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF