diff --git a/cli/Valet/Site.php b/cli/Valet/Site.php
index ff1fd1a..86ba1d4 100644
--- a/cli/Valet/Site.php
+++ b/cli/Valet/Site.php
@@ -570,7 +570,7 @@ public function createCa(int $caExpireInDays): void
         ));
 
         $this->cli->runAsUser(sprintf(
-            'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s"',
+            'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,digitalSignature,keyCertSign" -addext "subjectKeyIdentifier=hash"',
             $caExpireInDays, $oName, $cName, 'rootcertificate@laravel.valet', $caKeyPath, $caPemPath
         ));
         $this->trustCa($caPemPath);
@@ -614,7 +614,7 @@ public function createCertificate(string $url, int $caExpireInDays): void
 
         $this->buildCertificateConf($confPath, $url);
         $this->createPrivateKey($keyPath);
-        $this->createSigningRequest($url, $keyPath, $csrPath, $confPath);
+        $this->createSigningRequest($url, $keyPath, $csrPath);
 
         $caSrlParam = '-CAserial "'.$caSrlPath.'"';
         if (! $this->files->exists($caSrlPath)) {
@@ -646,11 +646,11 @@ public function createPrivateKey(string $keyPath): void
     /**
      * Create the signing request for the TLS certificate.
      */
-    public function createSigningRequest(string $url, string $keyPath, string $csrPath, string $confPath): void
+    public function createSigningRequest(string $url, string $keyPath, string $csrPath): void
     {
         $this->cli->runAsUser(sprintf(
-            'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/" -config "%s"',
-            $keyPath, $csrPath, $url, $url, '@laravel.valet', $confPath
+            'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/"',
+            $keyPath, $csrPath, $url, $url, '@laravel.valet'
         ));
     }
 
diff --git a/cli/stubs/openssl.conf b/cli/stubs/openssl.conf
index d81f8d7..0ec736c 100644
--- a/cli/stubs/openssl.conf
+++ b/cli/stubs/openssl.conf
@@ -16,9 +16,11 @@ commonName_max	= 64
 
 [ v3_req ]
 # Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+basicConstraints = critical,CA:FALSE
+keyUsage = critical,nonRepudiation, digitalSignature, keyEncipherment
 subjectAltName = @alt_names
+authorityKeyIdentifier = keyid
+subjectKeyIdentifier = hash
 
 [alt_names]
 DNS.1 = VALET_DOMAIN