diff --git a/README.md b/README.md
index ac66631..08cb084 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ chmod 0700 psk
 
 # create CA key and cert used for signing
 openssl genrsa -out ca.key 4096
-CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
+CN=CA openssl req -config openssl.cnf -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
 
 # create key for the server and sign it with the CA
 CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr