diff --git a/0004-Ensure-critical-basicConstraint-for-CA-cert.patch b/0004-Ensure-critical-basicConstraint-for-CA-cert.patch
new file mode 100644
index 0000000..8dbb327
--- /dev/null
+++ b/0004-Ensure-critical-basicConstraint-for-CA-cert.patch
@@ -0,0 +1,43 @@
+From 276698d206e9bad55d628eb2db8a71ba469a2eaf Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 22 Apr 2025 13:09:32 -0400
+Subject: [PATCH 4/4] Ensure 'critical' basicConstraint for CA cert
+
+Fixes: https://github.com/sgallagher/sscg/issues/74
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/authority.c            | 3 ++-
+ test/test_cert_validity.sh | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/authority.c b/src/authority.c
+index f509fd4316c3b7b230f99de6464491c319fc5d45..68000c5e695460abd65c9641b44c187f4aa617e3 100644
+--- a/src/authority.c
++++ b/src/authority.c
+@@ -123,7 +123,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+ 
+   /* Mark it as a CA */
+-  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
++  ex = X509V3_EXT_conf_nid (
++    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
+   CHECK_MEM (ex);
+   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+ 
+diff --git a/test/test_cert_validity.sh b/test/test_cert_validity.sh
+index 1e4df5ce57a45981878cec017f710b9699b77c6a..e20e02a384156a1a481e2560308f10a82258986e 100755
+--- a/test/test_cert_validity.sh
++++ b/test/test_cert_validity.sh
+@@ -204,7 +204,7 @@ key_strength=$(openssl pkey -text -noout -in service-key.pem -passin pass:mypass
+ test "$key_strength" -eq "$_arg_key_strength"
+ 
+ # Validate the certificates
+-openssl verify -CAfile ca.crt service.pem
++openssl verify -x509_strict -CAfile ca.crt service.pem
+ 
+ popd # $TMPDIR
+ 
+-- 
+2.49.0
+
diff --git a/sscg.spec b/sscg.spec
index e522e8e..0c28c0d 100644
--- a/sscg.spec
+++ b/sscg.spec
@@ -23,6 +23,8 @@ Patch:          0001-Extend-maximum-DNS-name-to-255.patch
 Patch:          0002-Update-README.md-with-latest-usage-information.patch
 # Set Certificate Signing Request version to 1 instead of 3(which doesn't exist)
 Patch:          0003-x509-Use-proper-version-for-CSR.patch
+# Ensure 'critical' basicConstraint for CA cert
+Patch:          0004-Ensure-critical-basicConstraint-for-CA-cert.patch
 
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel