diff --git a/src/main.cpp b/src/main.cpp
index efe8cc5f5..39dfaa241 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -350,6 +350,8 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	int rc;
 	X509 * x = NULL;
 	X509_NAME * name= NULL;
+	X509_EXTENSION* ext = NULL;
+	X509V3_CTX v3_ctx;
 	if ((x = X509_new()) == NULL) {
 		proxy_error("Unable to run X509_new()\n");
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
@@ -370,8 +372,6 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	if (ca_x509) {
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
-		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
-		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}
 	if (rc==0) {
@@ -379,6 +379,19 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
 	}
 
+	// set the context
+	X509V3_set_ctx(&v3_ctx, ca_x509 ? ca_x509 : x, x, NULL, NULL, 0);
+
+	ext = X509V3_EXT_conf_nid(
+		NULL, &v3_ctx, NID_basic_constraints, ca_x509 ? "critical, CA:FALSE" : "critical, CA:TRUE");
+	if (ext) {
+		X509_add_ext(x, ext, -1);
+		X509_EXTENSION_free(ext);
+	} else {
+		proxy_error("Unable to set certificate extensions: %s\n", ERR_error_string(ERR_get_error(),NULL));
+		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
+	}
+
 	if (ca_pkey) {
 		rc = X509_sign(x, ca_pkey, EVP_sha256());
 	} else {