diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index 2837baf91..1e7998be6 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -8,8 +8,6 @@ x509_signing_policies:
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
     - keyUsage: "digitalSignature, nonRepudiation"
-    - extendedkeyUsage: "serverAuth, clientAuth"
-    - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 3000
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 12dac65b5..bfe009258 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -62,7 +62,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' %}
+{% if grains['role'] == 'so-SENSOR' %}
 # Request a cert and drop it where it needs to go to be distributed
 /opt/so/conf/filebeat/etc/pki/filebeat.crt:
   x509.certificate_managed: