diff --git a/src/proxy/tinymitm/ssl.cpp b/src/proxy/tinymitm/ssl.cpp
index dc585bb..f3c3d80 100644
--- a/src/proxy/tinymitm/ssl.cpp
+++ b/src/proxy/tinymitm/ssl.cpp
@@ -62,10 +62,17 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
     memset(cert.get(), 0, sizeof(Cert));
     wc_InitCert(cert.get());
 
+    cert->isCA = 0;
+    cert->basicConstSet = 1;
+    cert->basicConstCrit = 0;
+
     cert->version = 2;
     cert->sigType = CTC_SHA256wRSA;
     cert->daysValid = 365;
 
+    cert->keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_KEY_ENCIPHER;
+    cert->extKeyUsage = EXTKEYUSE_SERVER_AUTH;
+
     strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE);
     wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size());
 
@@ -78,41 +85,41 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
     cert->serial[3] = hash & 0xFF;
 
     // SAN
-    std::vector<unsigned char> sanDer;
-    sanDer.push_back(0x30);
-    sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length() + 2));
-    sanDer.push_back(0x82);
-    sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length()));
-    sanDer.insert(sanDer.end(), hostTrimmed.begin(), hostTrimmed.end());
+    strncpy_s(reinterpret_cast<char*>(cert->altNames), sizeof(cert->altNames), hostTrimmed.c_str(), _TRUNCATE);
+    cert->altNamesSz = static_cast<word16>(hostTrimmed.length());
 
-    memcpy(cert->altNames, sanDer.data(), sanDer.size());
-    cert->altNamesSz = static_cast<word16>(sanDer.size());
+    wc_SetSubjectKeyIdFromPublicKey(cert.get(), _sessionKey.get(), nullptr);
+    wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
 
     /*
         cert sign
     */
-    std::vector<unsigned char> hostCertDer(4096);
-    int certLen =
-        wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _sessionKey.get(), nullptr, _rng.get());
+    std::vector<unsigned char> hostCertDer(8192);
+    int certLen = wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()),
+                              _sessionKey.get(), nullptr, _rng.get());
+    if (certLen < 0) return nullptr;
 
-    certLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _caKey.get(),
-                          nullptr, _rng.get());
-    hostCertDer.resize(certLen);
+    int signedLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(),
+                                static_cast<word32>(hostCertDer.size()), _caKey.get(), nullptr, _rng.get());
+    if (signedLen < 0) return nullptr;
+    hostCertDer.resize(signedLen);
 
     /*
         context setup
     */
-    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
+    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLS_server_method());
     if (!ctx) return nullptr;
-    if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()), WOLFSSL_FILETYPE_ASN1) !=
-            WOLFSSL_SUCCESS ||
+    if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()),
+                                           WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS ||
         wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), static_cast<long>(_sessionKeyDer.size()),
                                           WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS)
     {
         wolfSSL_CTX_free(ctx);
         return nullptr;
     }
+
     _hostContexts[host] = ctx;
+
     return ctx;
 }
 
@@ -172,10 +179,15 @@ bool CertificateManager::generateAndSaveCA(const char* caName, int days, const s
     cert->sigType = CTC_SHA256wRSA;
     cert->daysValid = days;
     cert->keyUsage = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN;
+    cert->pathLenSet = 0;
+    cert->pathLen = 0;
 
     cert->serialSz = 1;
     cert->serial[0] = 1;
 
+    wc_SetSubjectKeyIdFromPublicKey(cert.get(), _caKey.get(), 0);
+    wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
+
     /*
         CA sign
     */
@@ -239,7 +251,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
     std::vector<unsigned char> keyDer;
     DerBuffer* derBuff = nullptr;
 
-    int ret = wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
+    int ret =
+        wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
     if (ret == 0 && derBuff)
     {
         certDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
@@ -249,7 +262,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
         return false;
 
     derBuff = nullptr;
-    ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr, nullptr);
+    ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr,
+                      nullptr);
     if (ret == 0 && derBuff)
     {
         keyDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
@@ -260,6 +274,7 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
 
     return decodeCA(certDer, keyDer);
 }
+
 bool CertificateManager::decodeCA(const std::vector<unsigned char>& certDer, const std::vector<unsigned char>& keyDer)
 {
     if (certDer.empty() || keyDer.empty()) return false;