diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
index ed97d53..448d42a 100644
--- a/roles/generate-cert/defaults/main.yml
+++ b/roles/generate-cert/defaults/main.yml
@@ -1 +1,4 @@
 ---
+key_usage:
+  - digitalSignature
+  - keyEncipherment
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index 2799fe5..aa05e2b 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -33,10 +33,7 @@
     basic_constraints:
       - CA:FALSE # syntax?
     basic_contraints_critical: yes
-    key_usage: # need more works on this
-      - digitalSignature
-      - keyEncipherment
-      - clientAuth
+    key_usage: "{{ key_usage }}"
     key_usage_critical: yes
     subject_alt_name: "{{ subject_alt_name | default(omit) }}"
     # TODO: add a revocation methode, most probably crl, with crl_distribution_points