diff --git a/rootreq.conf b/rootreq.conf
index 6a418ff..73e34bf 100644
--- a/rootreq.conf
+++ b/rootreq.conf
@@ -44,3 +44,7 @@ emailAddress_default            = rootca@example.org
 basicConstraints                = critical, CA:true, pathlen:1
 keyUsage                        = critical, keyCertSign,cRLSign
 nsComment                       = "Example Labs Root Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always