diff --git a/appmgr/src/net/ssl.rs b/appmgr/src/net/ssl.rs
index a484e4b09..353efcce3 100644
--- a/appmgr/src/net/ssl.rs
+++ b/appmgr/src/net/ssl.rs
@@ -422,21 +422,15 @@ fn make_leaf_cert(
         Some(&cfg),
         Some(&ctx),
         Nid::AUTHORITY_KEY_IDENTIFIER,
-        "keyid:always,issuer",
+        "keyid,issuer:always",
     )?;
-    // basicConstraints = critical, CA:true, pathlen:0
-    let basic_constraints = X509Extension::new_nid(
-        Some(&cfg),
-        Some(&ctx),
-        Nid::BASIC_CONSTRAINTS,
-        "critical,CA:true,pathlen:0",
-    )?;
-    // keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    let basic_constraints =
+        X509Extension::new_nid(Some(&cfg), Some(&ctx), Nid::BASIC_CONSTRAINTS, "CA:FALSE")?;
     let key_usage = X509Extension::new_nid(
         Some(&cfg),
         Some(&ctx),
         Nid::KEY_USAGE,
-        "critical,digitalSignature,cRLSign,keyCertSign",
+        "critical,digitalSignature,keyEncipherment",
     )?;
 
     let subject_alt_name = X509Extension::new_nid(
@@ -444,8 +438,8 @@ fn make_leaf_cert(
         Some(&ctx),
         Nid::SUBJECT_ALT_NAME,
         &format!(
-            "DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion",
-            &applicant.1, &applicant.1, &applicant.1
+            "DNS:{}.local,DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion",
+            &applicant.1, &applicant.1, &applicant.1, &applicant.1
         ),
     )?;
     builder.append_extension(subject_key_identifier)?;