diff --git a/butterfly.server.py b/butterfly.server.py
index 745f080..a037dd9 100755
--- a/butterfly.server.py
+++ b/butterfly.server.py
@@ -189,13 +189,21 @@ def read(file):
         ca_pk.generate_key(crypto.TYPE_RSA, 2048)
         ca_cert = crypto.X509()
         ca_cert.get_subject().CN = 'Butterfly CA on %s' % socket.gethostname()
-        ca_cert.set_version(2)
+        ca_cert.set_version(3)
         fill_fields(ca_cert.get_subject())
         ca_cert.set_serial_number(uuid.uuid4().int)
         ca_cert.gmtime_adj_notBefore(0)  # From now
         ca_cert.gmtime_adj_notAfter(315360000)  # to 10y
         ca_cert.set_issuer(ca_cert.get_subject())  # Self signed
         ca_cert.set_pubkey(ca_pk)
+        ca_cert.add_extensions([
+            crypto.X509Extension(
+                'basicConstraints', True, 'CA:TRUE, pathlen:0'),
+            crypto.X509Extension(
+                'keyUsage', True, 'keyCertSign, cRLSign'),
+            crypto.X509Extension(
+                'subjectKeyIdentifier', False, 'hash', subject=ca_cert),
+        ])
         ca_cert.sign(ca_pk, 'sha512')
 
         write(ca, crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
@@ -214,7 +222,7 @@ def read(file):
     value = 'DNS:%s' % host
     server_cert.add_extensions([crypto.X509Extension(
         alt.encode('utf-8'), False, value.encode('utf-8'))])
-    server_cert.set_version(2)
+    server_cert.set_version(3)
 
     fill_fields(server_cert.get_subject())
     server_cert.set_serial_number(uuid.uuid4().int)
@@ -266,7 +274,7 @@ def read(file):
 
     client_cert = crypto.X509()
     client_cert.get_subject().CN = user
-    client_cert.set_version(2)
+    client_cert.set_version(3)
     fill_fields(client_cert.get_subject())
     client_cert.set_serial_number(uuid.uuid4().int)
     client_cert.gmtime_adj_notBefore(0)  # From now