diff --git a/cmd/kubeadm/app/phases/certs/pki_helpers.go b/cmd/kubeadm/app/phases/certs/pki_helpers.go
index d97b427fd8d..dac7379b4b3 100644
--- a/cmd/kubeadm/app/phases/certs/pki_helpers.go
+++ b/cmd/kubeadm/app/phases/certs/pki_helpers.go
@@ -51,6 +51,7 @@ func newServerKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey, altNam
 	config := certutil.Config{
 		CommonName: "kube-apiserver",
 		AltNames:   altNames,
+		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
 	if err != nil {
@@ -65,8 +66,10 @@ func NewClientKeyAndCert(config *certutil.Config, caCert *x509.Certificate, caKe
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
 	}
-
-	cert, err := certutil.NewSignedCert(*config, key, caCert, caKey)
+	// force usage to client usage
+	configCopy := *config
+	configCopy.Usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+	cert, err := certutil.NewSignedCert(configCopy, key, caCert, caKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
 	}
diff --git a/federation/pkg/kubefed/init/init.go b/federation/pkg/kubefed/init/init.go
index 3b3c23aee35..f658968af50 100644
--- a/federation/pkg/kubefed/init/init.go
+++ b/federation/pkg/kubefed/init/init.go
@@ -334,11 +334,11 @@ func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnam
 	if err != nil {
 		return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
 	}
-	cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN)
+	cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
 	}
-	admin, err := triple.NewClientKeyPair(ca, AdminCN)
+	admin, err := triple.NewClientKeyPair(ca, AdminCN, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
 	}
diff --git a/staging/src/k8s.io/client-go/pkg/util/cert/cert.go b/staging/src/k8s.io/client-go/pkg/util/cert/cert.go
index 05664c927be..941d6db67c6 100644
--- a/staging/src/k8s.io/client-go/pkg/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/pkg/util/cert/cert.go
@@ -25,6 +25,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"math"
 	"math/big"
@@ -42,6 +43,7 @@ type Config struct {
 	CommonName   string
 	Organization []string
 	AltNames     AltNames
+	Usages       []x509.ExtKeyUsage
 }
 
 // AltNames contains the domain names and IP addresses that will be added
@@ -86,6 +88,12 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
 	if err != nil {
 		return nil, err
 	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
 
 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
@@ -98,7 +106,7 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
 		NotBefore:    caCert.NotBefore,
 		NotAfter:     time.Now().Add(duration365d).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		ExtKeyUsage:  cfg.Usages,
 	}
 	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
 	if err != nil {
diff --git a/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go b/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
index 98844aa01be..8719b82e312 100644
--- a/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
+++ b/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
@@ -80,6 +80,7 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
 	config := certutil.Config{
 		CommonName: commonName,
 		AltNames:   altNames,
+		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
 	if err != nil {
@@ -92,14 +93,16 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
 	}, nil
 }
 
-func NewClientKeyPair(ca *KeyPair, commonName string) (*KeyPair, error) {
+func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) {
 	key, err := certutil.NewPrivateKey()
 	if err != nil {
 		return nil, fmt.Errorf("unable to create a client private key: %v", err)
 	}
 
 	config := certutil.Config{
-		CommonName: commonName,
+		CommonName:   commonName,
+		Organization: organizations,
+		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
 	if err != nil {