diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
index bc8a97e8e..40282e628 100644
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@@ -123,7 +123,7 @@ basicConstraints = critical, CA:true
 
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.
-keyUsage = critical, cRLSign, keyCertSign
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
 
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA
diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca
index a9b4fbb58..775ec6488 100644
--- a/easyrsa3/x509-types/ca
+++ b/easyrsa3/x509-types/ca
@@ -9,4 +9,4 @@
 basicConstraints = critical, CA:TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = critical, cRLSign, keyCertSign
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign