diff --git a/mtls/mtls.go b/mtls/mtls.go
index 892e6dc7..a0086a66 100644
--- a/mtls/mtls.go
+++ b/mtls/mtls.go
@@ -94,7 +94,7 @@ func NewIntermediate(cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...C
 // SignCSR sign certificate request and return signed pubkey
 func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, error) {
 	if cacrt == nil {
-		opts = append(opts, CertificateIsCA(false))
+		opts = append(opts, CertificateIsCA(true))
 	}
 
 	options := NewCertificateOptions(opts...)
@@ -124,7 +124,7 @@ func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, op
 		IsCA:                  options.IsCA,
 	}
 
-	if !options.IsCA {
+	if options.IsCA {
 		cacrt = tpl
 	} else {
 		tpl.Issuer = cacrt.Subject
diff --git a/mtls/mtls_test.go b/mtls/mtls_test.go
index a81ff1e2..ca1fa140 100644
--- a/mtls/mtls_test.go
+++ b/mtls/mtls_test.go
@@ -10,6 +10,7 @@ func TestNewCa(t *testing.T) {
 	bcrt, key, err := NewCA(
 		CertificateOrganization("test_org"),
 		CertificateOrganizationalUnit("test_unit"),
+		CertificateIsCA(true),
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -23,7 +24,7 @@ func TestNewCa(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if crt.IsCA {
+	if !crt.IsCA {
 		t.Fatalf("crt IsCA invalid %v", crt)
 	}
 	if crt.Subject.Organization[0] != "test_org" {
@@ -33,3 +34,40 @@ func TestNewCa(t *testing.T) {
 		t.Fatalf("crt subject invalid %v", crt.Subject)
 	}
 }
+
+func TestNewIntermediate(t *testing.T) {
+	bcrt, cakey, err := NewCA(
+		CertificateOrganization("test_org"),
+		CertificateOrganizationalUnit("test_unit"),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cacrt, err := x509.ParseCertificate(bcrt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bcrt, ikey, err := NewIntermediate(cacrt, cakey,
+		CertificateOrganization("test_org"),
+		CertificateOrganizationalUnit("test_unit"),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = ikey
+	icrt, err := x509.ParseCertificate(bcrt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if icrt.IsCA {
+		t.Fatalf("crt IsCA invalid %v", icrt)
+	}
+	if icrt.Subject.Organization[0] != "test_org" {
+		t.Fatalf("crt subject invalid %v", icrt.Subject)
+	}
+	if icrt.Subject.OrganizationalUnit[0] != "test_unit" {
+		t.Fatalf("crt subject invalid %v", icrt.Subject)
+	}
+}