diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 254233637..81170e502 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -5666,11 +5666,21 @@ create_legacy_stream() {
 	;;
 	easyrsa)
 	# This could be COMMON but not is not suitable for a CA
-		cat <<- "CREATE_X509_TYPE_EASYRSA"
-		basicConstraints = CA:FALSE
+		_ku='digitalSignature, keyEncipherment'
+		if [ "$EASYRSA_KU_CRITICAL" ]; then
+			_ku="${EASYRSA_KU_CRITICAL}, ${_ku}"
+		fi
+
+		_bc='CA:FALSE'
+		if [ "$EASYRSA_BC_CRITICAL" ]; then
+			_bc="${EASYRSA_BC_CRITICAL}, ${_bc}"
+		fi
+
+		cat <<- CREATE_X509_TYPE_EASYRSA
+		basicConstraints = $_bc
 		subjectKeyIdentifier = hash
 		authorityKeyIdentifier = keyid,issuer:always
-		keyUsage = digitalSignature,keyEncipherment
+		keyUsage = $_ku
 		CREATE_X509_TYPE_EASYRSA
 	;;
 	serverClient)
@@ -5696,22 +5706,32 @@ create_legacy_stream() {
 	;;
 	ca)
 	# ca
-		cat <<- "CREATE_X509_TYPE_CA"
-		basicConstraints = CA:TRUE
+		_ku='cRLSign, keyCertSign'
+		if [ "$EASYRSA_KU_CRITICAL" ]; then
+			_ku="${EASYRSA_KU_CRITICAL}, ${_ku}"
+		fi
+
+		_bc='CA:TRUE'
+		if [ "$EASYRSA_BC_CRITICAL" ]; then
+			_bc="${EASYRSA_BC_CRITICAL}, ${_bc}"
+		fi
+
+		cat <<- CREATE_X509_TYPE_CA
+		basicConstraints = $_bc
 		subjectKeyIdentifier = hash
 		authorityKeyIdentifier = keyid:always,issuer:always
-		keyUsage = cRLSign, keyCertSign
+		keyUsage = $_ku
 		CREATE_X509_TYPE_CA
 	;;
 	codeSigning)
 	# codeSigning
-		cat <<- "CREATE_X509_CODE_SIGNING"
+		cat <<- "CREATE_X509_TYPE_CODE_SIGNING"
 		basicConstraints = CA:FALSE
 		subjectKeyIdentifier = hash
 		authorityKeyIdentifier = keyid,issuer:always
 		extendedKeyUsage = codeSigning
 		keyUsage = digitalSignature
-		CREATE_X509_CODE_SIGNING
+		CREATE_X509_TYPE_CODE_SIGNING
 	;;
 	email)
 	# email
@@ -6056,6 +6076,9 @@ CREATE_SSL_CONFIG
 	*)
 		die "create_legacy_stream: unknown type '$1'"
 	esac
+
+	# Cleanup
+	unset -v _ku _bc
 } # => create_legacy_stream()
 
 # Version information
@@ -6283,6 +6306,14 @@ subjectAltName = $val"
 	--usefn)
 		export EASYRSA_P12_FR_NAME="$val"
 		;;
+	--ku-crit*)
+		empty_ok=1
+		export EASYRSA_KU_CRITICAL=critical
+		;;
+	--bc-crit*)
+		empty_ok=1
+		export EASYRSA_BC_CRITICAL=critical
+		;;
 	--version)
 		shift "$#"
 		set -- "$@" "version"