diff --git a/src/calibre/utils/certgen.c b/src/calibre/utils/certgen.c
index 902cff3937..c1d323211f 100644
--- a/src/calibre/utils/certgen.c
+++ b/src/calibre/utils/certgen.c
@@ -279,20 +279,21 @@ static PyObject* create_rsa_cert(PyObject *self, PyObject *args) {
     if (!X509_set_pubkey(Cert, PubKey)) { set_error("X509_set_pubkey"); goto error; }
     X509_EXTENSION *ex;
     if (req_is_for_CA_cert) {
-        X509V3_set_ctx(&ctx, NULL, Cert, NULL, NULL, 0);
+        X509V3_set_ctx(&ctx, Cert, Cert, NULL, NULL, 0);
         X509V3_set_ctx_nodb(&ctx);
-        ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
-        if (!ex) { set_error("creating subject key identifier failed"); goto error; }
-        X509_add_ext(Cert, ex, -1);
-        X509_EXTENSION_free(ex);
     } else {
         X509V3_set_ctx(&ctx, CA_cert, Cert, NULL, NULL, 0);
         X509V3_set_ctx_nodb(&ctx);
-        ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid:always");
-        if (!ex) { set_error("creating authority key identifier failed"); goto error; }
-        X509_add_ext(Cert, ex, -1);
-        X509_EXTENSION_free(ex);
     }
+    ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
+    if (!ex) { set_error("creating subject key identifier failed"); goto error; }
+    X509_add_ext(Cert, ex, -1);
+    X509_EXTENSION_free(ex);
+    ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid:always");
+    if (!ex) { set_error("creating authority key identifier failed"); goto error; }
+    X509_add_ext(Cert, ex, -1);
+    X509_EXTENSION_free(ex);
+
     Py_BEGIN_ALLOW_THREADS;
     signature_length = X509_sign(Cert, CA_key, EVP_sha256());
     Py_END_ALLOW_THREADS;
@@ -402,7 +403,7 @@ verify_cert(PyObject *self, PyObject *args) {
     Py_END_ALLOW_THREADS
     X509_STORE_CTX_free(vfy_ctx);
     X509_STORE_free(store);
-    if (!ok) { set_error("Verification failed"); return NULL; }
+    if (!ok) { set_error("X509_verify_cert"); return NULL; }
     Py_RETURN_NONE;
 }
 
diff --git a/src/calibre/utils/certgen.py b/src/calibre/utils/certgen.py
index 029bdb7a3a..e654b645d4 100644
--- a/src/calibre/utils/certgen.py
+++ b/src/calibre/utils/certgen.py
@@ -69,14 +69,15 @@ def create_server_cert(
     # Create the Certificate Authority
     cakey = create_key_pair(key_size)
     careq = create_cert_request(
-        cakey, ca_name, basic_constraints='critical,CA:TRUE', digital_key_usage='critical,keyCertSign,cRLSign')
+    cakey, ca_name, basic_constraints='critical,CA:TRUE', digital_key_usage='critical,keyCertSign,cRLSign',
+        ext_key_usage='critical,serverAuth,clientAuth')
     cacert = create_ca_cert(careq, cakey)
 
     # Create the server certificate issued by the newly created CA
     pkey = create_key_pair(key_size)
     req = create_cert_request(
         pkey, domain_or_ip, country, state, locality, organization, organizational_unit, email_address, alt_names,
-        ext_key_usage='critical,serverAuth')
+        digital_key_usage='critical,keyEncipherment,digitalSignature', ext_key_usage='critical,serverAuth,clientAuth')
     cert = create_cert(req, cacert, cakey, expire=expire)
 
     def export(dest, obj, func, *args):