diff --git a/main.fnl b/main.fnl
index db25350..16af05c 100644
--- a/main.fnl
+++ b/main.fnl
@@ -6,6 +6,7 @@
 (local ctx (require :openssl.ssl.context))
 (local csr (require :openssl.x509.csr))
 (local x509 (require :openssl.x509))
+(local extension (require :openssl.x509.extension))
 (local pkey (require :openssl.pkey))
 (local bignum (require :openssl.bignum))
 
@@ -93,7 +94,9 @@
     (for [i 1 (csr:getRequestedExtensionCount) 1]
       (let [ext (csr:getRequestedExtension i)]
         (crt:addExtension ext)))
-    (doto crt (: :sign ca-key))))
+    (doto crt
+      (: :addExtension (extension.new "basicConstraints" "critical,CA:FALSE"))
+      (: :sign ca-key))))
 
 (fn approve-request? [csr]
   (let [challengePassword (csr:getAttribute :challengePassword)]