diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 3d5c8fe92e7..de8b2e7edef 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -379,9 +379,9 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
 	X509_set_subject_name(cert, subject);
 	X509_set_issuer_name(cert, issuer);
 
-	if (!serialfile.IsEmpty()) {
-		int serial = 0;
+	int serial = 1;
 
+	if (!serialfile.IsEmpty()) {
 		std::ifstream ifp;
 		ifp.open(serialfile.CStr());
 		ifp >> std::hex >> serial;
@@ -397,22 +397,28 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
 
 		if (ofp.fail())
 			BOOST_THROW_EXCEPTION(std::runtime_error("Could not update serial file."));
-
-		ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
 	}
 
-	if (ca) {
-		X509_EXTENSION *ext;
-		X509V3_CTX ctx;
-		X509V3_set_ctx_nodb(&ctx);
-		X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
-		ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>("critical,CA:TRUE"));
+	ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
 
-		if (ext)
-			X509_add_ext(cert, ext, -1);
+	X509_EXTENSION *ext;
+	X509V3_CTX ctx;
+	X509V3_set_ctx_nodb(&ctx);
+	X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
 
-		X509_EXTENSION_free(ext);
-	}
+	const char *attr;
+
+	if (ca)
+		attr = "critical,CA:TRUE";
+	else
+		attr = "critical,CA:FALSE";
+
+	ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>(attr));
+
+	if (ext)
+		X509_add_ext(cert, ext, -1);
+
+	X509_EXTENSION_free(ext);
 
 	X509_sign(cert, cakey, EVP_sha256());