diff --git a/main.fnl b/main.fnl
index f929aa7..cab4c6a 100644
--- a/main.fnl
+++ b/main.fnl
@@ -98,8 +98,11 @@
     (for [i 1 (csr:getRequestedExtensionCount) 1]
       (let [ext (csr:getRequestedExtension i)]
         (crt:addExtension ext)))
+    ;; https://www.golinuxcloud.com/add-x509-extensions-to-certificate-openssl/
     (doto crt
       (: :addExtension (extension.new "basicConstraints" "critical,CA:FALSE"))
+      (: :addExtension (extension.new "keyUsage" "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment")) ;; all of these?
+      (: :addExtension (extension.new "extendedKeyUsage" "clientAuth"))
       (: :sign ca-key))))
 
 (fn approve-request? [csr]