diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index 95e5726f0..2837baf91 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -1,5 +1,20 @@
 x509_signing_policies:
   filebeat:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "digitalSignature, nonRepudiation"
+    - extendedkeyUsage: "serverAuth, clientAuth"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3000
+    - copypath: /etc/pki/issued_certs/
+  registry:
     - minions: '*'
     - signing_private_key: /etc/pki/ca.key
     - signing_cert: /etc/pki/ca.crt
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 7cf98ef37..12dac65b5 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -26,8 +26,6 @@ m2cryptopkgs:
     - CN: {{ master }}
     - days_remaining: 3000
     - backup: True
-    - keyUsage: "digitalSignature, nonRepudiation"
-    - extendedkeyUsage: "serverAuth, clientAuth"
     - managed_private_key:
         name: /etc/pki/filebeat.key
         bits: 4096
@@ -53,7 +51,7 @@ fbcrtlink:
 /etc/pki/registry.crt:
   x509.certificate_managed:
     - ca_server: {{ master }}
-    - signing_policy: filebeat
+    - signing_policy: registry
     - public_key: /etc/pki/registry.key
     - CN: {{ master }}
     - days_remaining: 3000
@@ -72,8 +70,6 @@ fbcrtlink:
     - signing_policy: filebeat
     - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
     - CN: {{ master }}
-    - keyUsage: "digitalSignature, nonRepudiation"
-    - extendedkeyUsage: "serverAuth, clientAuth"
     - days_remaining: 3000
     - backup: True
     - managed_private_key: