diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml
index 2279df4..06c96ea 100644
--- a/roles/rproxy/tasks/main.yml
+++ b/roles/rproxy/tasks/main.yml
@@ -79,7 +79,7 @@
 
     - name: Generate server csr
       ansible.builtin.shell:
-        cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key -new -out {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr -config {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.cnf -days 365'
+        cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.key -new -out {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.csr -config {{ rproxy_dir }}/certs/{{  rproxy_service_name  }}.cnf'
 
     - name: Sign server certificate
       ansible.builtin.shell:
diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2
index d1c504f..fd59ce4 100644
--- a/roles/rproxy/templates/server.cnf.j2
+++ b/roles/rproxy/templates/server.cnf.j2
@@ -1,4 +1,3 @@
-[ req ]
 prompt                 = no
 days                   = 365
 distinguished_name     = {{ rproxy_service_name }}.{{ domain.stdout }}
@@ -15,10 +14,10 @@ commonName             = {{ rproxy_service_name }}.{{ domain.stdout }}
 emailAddress           = admin@{{ domain.stdout }}
 
 [ v3_req ]
-basicConstraints       = CA:false
+basicConstraints       = critical; CA:false
 extendedKeyUsage       = serverAuth
 subjectAltName         = @sans
 
-[sans]
+[ sans ]
 DNS.1 = *.{{ domain.stdout }}
 IP.1 = {{ rproxy_service_address }}
\ No newline at end of file
diff --git a/server.cnf.j2 b/server.cnf.j2
new file mode 100644
index 0000000..d1c504f
--- /dev/null
+++ b/server.cnf.j2
@@ -0,0 +1,24 @@
+[ req ]
+prompt                 = no
+days                   = 365
+distinguished_name     = {{ rproxy_service_name }}.{{ domain.stdout }}
+req_extensions         = v3_req
+
+
+[ {{  rproxy_service_name  }}.{{ domain.stdout }} ]
+countryName            = RU
+stateOrProvinceName    = RU
+localityName           = MSK
+organizationName       = {{ domain.stdout }}
+organizationalUnitName = IT
+commonName             = {{ rproxy_service_name }}.{{ domain.stdout }}
+emailAddress           = admin@{{ domain.stdout }}
+
+[ v3_req ]
+basicConstraints       = CA:false
+extendedKeyUsage       = serverAuth
+subjectAltName         = @sans
+
+[sans]
+DNS.1 = *.{{ domain.stdout }}
+IP.1 = {{ rproxy_service_address }}
\ No newline at end of file