diff --git a/pkg/pki/cert.go b/pkg/pki/cert.go
index fbd18477fa5768b144eb2ed8d90c03d20ec05b69..da7a6cd30324d4119de6f1331ef6daa7bf4a04cf 100644
--- a/pkg/pki/cert.go
+++ b/pkg/pki/cert.go
@@ -7,6 +7,7 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"errors"
+	"io/ioutil"
 )
 
 type Cert struct {
@@ -90,13 +91,26 @@ func (c *Certificate) Save() error {
 	return nil
 }
 
+// Ensure that the certificate has IO available
+// Certificates without explicit IO will get a
+// temporary directory
+func (c *Certificate) ensureIO() {
+	if c.IO == nil {
+		dir, _ := ioutil.TempDir("/tmp", "cert-")
+		c.IO = FileIO{dir}
+		c.Save()
+	}
+}
+
 // Get the key file path
 func (c *Certificate) KeyPath() string {
+	c.ensureIO()
 	return c.IO.Path(KeyType)
 }
 
 // Get the certificate file path
 func (c *Certificate) CertPath() string {
+	c.ensureIO()
 	return c.IO.Path(CertType)
 }
 
diff --git a/pkg/pki/templates.go b/pkg/pki/templates.go
index e82ad26fb97f0731135e27f461e4020fb94fe394..48e7a7ac8d6c522d7a1a09cd912830bcdcc1712d 100644
--- a/pkg/pki/templates.go
+++ b/pkg/pki/templates.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
+	"net"
 	"time"
 )
 
@@ -30,18 +31,23 @@ func newTemplate() *x509.Certificate {
 func NewCATemplate() *x509.Certificate {
 	template := newTemplate()
 	template.Subject = pkix.Name{}
-	template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign
-	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+	template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign
 	template.IsCA = true
 	return template
 }
 
-func NewServerTemplate(names []string) *x509.Certificate {
+func NewServerTemplate(names []string, ips []net.IP) *x509.Certificate {
 	template := newTemplate()
-	template.Subject = pkix.Name{
-		CommonName: names[0],
+	template.Subject = pkix.Name{}
+	if len(names) > 0 {
+		template.Subject.CommonName = names[0]
+	} else if len(ips) > 0 {
+		template.Subject.CommonName = ips[0].String()
 	}
+	template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	template.DNSNames = names
+	template.IPAddresses = ips
 	return template
 }
 
@@ -51,5 +57,7 @@ func NewClientTemplate(cn string, org string) *x509.Certificate {
 		CommonName:   cn,
 		Organization: []string{org},
 	}
+	template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
 	return template
 }