diff --git a/roles/ispmail-certificate/tasks/main.yml b/roles/ispmail-certificate/tasks/main.yml
index b5801ba..35c8368 100644
--- a/roles/ispmail-certificate/tasks/main.yml
+++ b/roles/ispmail-certificate/tasks/main.yml
@@ -1,14 +1,13 @@
 ---
 - name: Create a self-signed certificate
   command: >
-    openssl req -new
-      -x509
-      -nodes
-      -extensions v3_ca
+    openssl req -newkey rsa:4096
+      -nodes -sha512 -x509
       -days {{ ispmail_certificate_days_valid }}
+      -nodes
       -subj "/C={{ ispmail_certificate_country }}/ST={{ ispmail_certificate_state }}/L={{ ispmail_certificate_location }}/O={{ ispmail_certificate_organisation }}/OU={{ ispmail_certificate_orgunit }}{% for domain in ispmail_certificate_domains %}/CN={{ domain }}{% endfor %}/emailAddress={{ ispmail_certificate_email }}"
-      -keyout /etc/ssl/private/mailserver.pem
       -out /etc/ssl/certs/mailserver.pem
+      -keyout /etc/ssl/private/mailserver.pem
   args:
     creates: /etc/ssl/certs/mailserver.pem
 - name: Restrict access permissions of the private key