diff --git a/roles/network_plugin/calico/files/openssl.conf b/roles/network_plugin/calico/files/openssl.conf
index b1cf7bf8f..f4ba47da7 100644
--- a/roles/network_plugin/calico/files/openssl.conf
+++ b/roles/network_plugin/calico/files/openssl.conf
@@ -18,3 +18,10 @@ basicConstraints = CA:TRUE
 keyUsage = cRLSign, digitalSignature, keyCertSign
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
+
+[ ssl_client_apiserver ]
+extendedKeyUsage = clientAuth, serverAuth
+basicConstraints = CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+subjectAltName = DNS:calico-api.calico-apiserver.svc
diff --git a/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2 b/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2
index 93ff9f7b6..94b2022e7 100644
--- a/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2
+++ b/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2
@@ -87,7 +87,7 @@ elif [ $SERVICE == "apiserver" ]; then
     # calico-apiserver
     openssl genrsa -out apiserver.key {{certificates_key_size}} > /dev/null 2>&1
     openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=calico-apiserver" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}}  -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}}  -extensions ssl_client_apiserver -extfile ${CONFIG} > /dev/null 2>&1
 else
     echo "ERROR: the openssl configuration file is missing. option -s"
     exit 1