diff --git a/tasks/ownca_cert.yml b/tasks/ownca_cert.yml
index fe77e47..bf609bd 100644
--- a/tasks/ownca_cert.yml
+++ b/tasks/ownca_cert.yml
@@ -15,6 +15,11 @@
     src: "{{ cert.csrpath }}"
   register: csrfile
 
+- name: slurp key for {{ certname }}
+  slurp:
+    src: "{{ cert.keypath }}"
+  register: keyfile
+
 - name: setup ca
   delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
   block:
@@ -51,6 +56,15 @@
     openssl_csr:
       path: "{{ cacsrpath }}"
       privatekey_path: "{{ cakeypath }}"
+      basic_constraints: "CA:TRUE"
+      key_usage:
+      - digitalSignature
+      - keyCertSign
+      - cRLSign
+      key_usage_critical: yes
+      basic_constraints_critical: yes
+      use_common_name_for_san: false
+      common_name: "Root CA: {{ cert_backend.name }}"
   - name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
     openssl_certificate:
       path: "{{ cacertpath }}"
@@ -58,6 +72,7 @@
       csr_path: "{{ cacsrpath }}"
       provider: selfsigned
       selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
+      selfsigned_create_subject_key_identifier: always_create
   - name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
     slurp:
       src: "{{ cacertpath }}"
@@ -75,6 +90,7 @@
       ownca_privatekey_path: "{{ cakeypath }}"
       provider: ownca
       ownca_not_after: "{{ cert_backend.not_after }}"
+      ownca_create_subject_key_identifier: always_create
   - name: "copy crt from ca for {{ certname }}"
     slurp:
       src: "{{ remotecrtpath }}"
@@ -89,25 +105,16 @@
     content: "{{ cafile.content | b64decode }}"
     dest: "{{ cert.capath }}"
 - name: "generate concatinated versions (chain) for {{ certname }}"
-  shell: "umask 0137; cat {{ cert.certpath }} {{ cert.capath }} > {{ cert.chainpath }}"
-  args:
-    creates: "{{ cert.chainpath }}"
-
-- name: "set permission for concatinated versions (chain) for {{ certname }}"
-  file:
-    path: "{{ cert.chainpath }}"
+  copy:
+    content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}"
+    dest: "{{ cert.chainpath }}"
     mode: 0644
     owner: root
     group: ssl-cert
-
 - name: "generate concatinated versions (full) for {{ certname }}"
-  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
-  args:
-    creates: "{{ cert.fullpath }}"
-
-- name: "set permissions for concatinated versions (full) for {{ certname }}"
-  file:
-    path: "{{ cert.fullpath }}"
+  copy:
+    content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}{{ keyfile.content | b64decode }}"
+    dest: "{{ cert.fullpath }}"
     mode: 0640
     owner: root
     group: ssl-cert