diff --git a/autoca/ca.py b/autoca/ca.py
index a261d9b11f89f6f91a78bf9394603d41b195cb0c..f15f678a1e606af365d8790313e6f81c8c2938f6 100644
--- a/autoca/ca.py
+++ b/autoca/ca.py
@@ -20,6 +20,28 @@ class CA(object):
         self._init_ca()
         self._load_crl()
 
+    def _generate_ca_cert(self):
+        ca_req = certutil.create_cert_request(
+            self.ca_key, **(self.ca_subject))
+        self.ca_crt = certutil.sign_certificate(
+            ca_req, self.ca_key, ca_req, 1, 3650,
+            extensions=[
+                crypto.X509Extension('basicConstraints', True,
+                                     'CA:TRUE, pathlen:0'),
+                crypto.X509Extension('keyUsage', True,
+                                     'keyCertSign, cRLSign'),
+                #crypto.X509Extension('subjectKeyIdentifier', False,
+                #                     'hash', subject=ca_req),
+                ],
+            digest=self.digest)
+
+        crt_str = crypto.dump_certificate(
+            crypto.FILETYPE_PEM, self.ca_crt)
+        self.storage.set_ca(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, self.ca_key),
+            crt_str)
+        self.public_ca_pem = crt_str
+
     def _init_ca(self):
         key_str, crt_str = self.storage.get_ca()
         if key_str:
@@ -31,26 +53,14 @@ class CA(object):
         else:
             log.info('initializing CA certificate and private key')
             self.ca_key = certutil.create_rsa_key_pair(self.bits)
-            ca_req = certutil.create_cert_request(
-                self.ca_key, **(self.ca_subject))
-            self.ca_crt = certutil.sign_certificate(
-                ca_req, self.ca_key, ca_req, 1, 3650,
-                extensions=[
-                    crypto.X509Extension('basicConstraints', True,
-                                         'CA:TRUE, pathlen:0'),
-                    crypto.X509Extension('keyUsage', True,
-                                         'keyCertSign, cRLSign'),
-                    #crypto.X509Extension('subjectKeyIdentifier', False,
-                    #                     'hash', subject=ca_req),
-                    ],
-                digest=self.digest)
-
-            crt_str = crypto.dump_certificate(
-                crypto.FILETYPE_PEM, self.ca_crt)
-            self.storage.set_ca(
-                crypto.dump_privatekey(crypto.FILETYPE_PEM, self.ca_key),
-                crt_str)
-            self.public_ca_pem = crt_str
+            self._generate_ca_cert()
+
+    def renew_ca(self):
+        if not self.ca_key:
+            log.error('CA private key not available')
+            return
+        log.info('renewing CA certificate')
+        self._generate_ca_cert()
 
     def get_ca(self):
         return self.public_ca_pem
@@ -77,7 +87,7 @@ class CA(object):
             crypto.X509Extension('extendedKeyUsage', False,
                                  server and 'serverAuth' or 'clientAuth'),
             crypto.X509Extension('nsCertType', False,
-                                 server and 'server' or 'client'),
+                                 server and 'client, server' or 'client'),
             ]
         cert = certutil.sign_certificate(
             req, self.ca_key, self.ca_crt, new_serial, days,