diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf
index d75a70eda..f196ab6b2 100644
--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf
@@ -211,6 +211,10 @@ authorityKeyIdentifier=keyid:always,issuer
 #basicConstraints = critical,CA:true
 # So we do this instead.
 basicConstraints = CA:true
+# keyUsage (rfc5280): Conforming CAs MUST include this extension in certificates that contain public keys
+# that are used to validate digital signatures on other public key certificates or CRLs.
+# When present, conforming CAs SHOULD mark this extension as critical.
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
 
 ###OPNsense:subjectAltName###