diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
index 50cdce47..0b5cef20 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
@@ -44,4 +44,5 @@ cp /tmp/confluent.* /mnt/etc/confluent/
 cp -a /tls /mnt/etc/confluent/
 cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
 cp -a /tls/* /mnt/etc/ssl/certs
+cp -a /tls/*.cert /etc/pki/trust/anchors
 
diff --git a/confluent_server/bin/confluentcertutil.py b/confluent_server/bin/confluentcertutil.py
index 24b46827..d0cbaacd 100644
--- a/confluent_server/bin/confluentcertutil.py
+++ b/confluent_server/bin/confluentcertutil.py
@@ -53,7 +53,7 @@ def create_certificate(outdir):
     shutil.copy2(sslcfg, tmpconfig)
     try:
         with open(tmpconfig, 'a') as cfgfile:
-            cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
+            cfgfile.write('\n[SAN]i\nbasicConstraints = CA:true\nsubjectAltName={0}'.format(san))
         subprocess.check_call([
             'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',
             '7300', '-out', certout, '-subj', '/CN={0}'.format(longname),