diff --git a/br/tests/_utils/generate_certs b/br/tests/_utils/generate_certs
index a968e8a7d2263..f7343f153d78f 100755
--- a/br/tests/_utils/generate_certs
+++ b/br/tests/_utils/generate_certs
@@ -21,7 +21,7 @@ mkdir -p $TEST_DIR/certs
 openssl ecparam -out "$TEST_DIR/certs/ca.key" -name prime256v1 -genkey
 # CA's Common Name must not be the same as signed certificate.
 openssl req -new -batch -sha256 -subj '/CN=br_tests' -key "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.csr"
-openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
+openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -extfile "${cur_dir}/../config/rootca.conf" -extensions ext -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
 for cluster in tidb pd tikv lightning tiflash curl ticdc br; do
     openssl ecparam -out "$TEST_DIR/certs/$cluster.key" -name prime256v1 -genkey
     openssl req -new -batch -sha256 -subj '/CN=localhost' -key "$TEST_DIR/certs/$cluster.key" -out "$TEST_DIR/certs/$cluster.csr"
diff --git a/br/tests/config/rootca.conf b/br/tests/config/rootca.conf
new file mode 100644
index 0000000000000..b4ca5d22ab5da
--- /dev/null
+++ b/br/tests/config/rootca.conf
@@ -0,0 +1,2 @@
+[ext]
+basicConstraints=CA:TRUE,pathlen:0