diff --git a/ssl_mgmt/openssl.cnf.in b/ssl_mgmt/openssl.cnf.in
index ada01a3..9771a36 100644
--- a/ssl_mgmt/openssl.cnf.in
+++ b/ssl_mgmt/openssl.cnf.in
@@ -24,7 +24,7 @@ policy = policy_match
 copy_extensions = copy
 # We want those extensions only to generate the root certificates, so
 # we specify it on the command line:
-x509_extensions = v3_ca
+x509_extensions = v3_x509
 
 [ policy_match ]
 countryName = match
@@ -64,3 +64,8 @@ authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 subjectAltName = @ALTNAME@
+
+[ v3_x509 ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
diff --git a/ssl_mgmt/tests/5/cmdline b/ssl_mgmt/tests/5/cmdline
new file mode 100644
index 0000000..65feb3f
--- /dev/null
+++ b/ssl_mgmt/tests/5/cmdline
@@ -0,0 +1,3 @@
+keyId= cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo \
+	&& openssl x509 -in destdir/certs/foo-cert.pem -text -noout \
+	| grep -A 1 "X509v3 Basic Constraints:" | grep "CA:FALSE"
diff --git a/ssl_mgmt/tests/5/driver b/ssl_mgmt/tests/5/driver
new file mode 100755
index 0000000..e64bbaa
--- /dev/null
+++ b/ssl_mgmt/tests/5/driver
@@ -0,0 +1,2 @@
+echo
+echo "y"
diff --git a/ssl_mgmt/tests/5/fini b/ssl_mgmt/tests/5/fini
new file mode 120000
index 0000000..f12b28a
--- /dev/null
+++ b/ssl_mgmt/tests/5/fini
@@ -0,0 +1 @@
+../restore_foo_fini
\ No newline at end of file
diff --git a/ssl_mgmt/tests/5/init b/ssl_mgmt/tests/5/init
new file mode 120000
index 0000000..f74317c
--- /dev/null
+++ b/ssl_mgmt/tests/5/init
@@ -0,0 +1 @@
+../save_foo_init
\ No newline at end of file