diff --git a/pkg/controller/scylladbdatacenter/sync_certs.go b/pkg/controller/scylladbdatacenter/sync_certs.go
index 15b448fe5f3..a0837f67bd6 100644
--- a/pkg/controller/scylladbdatacenter/sync_certs.go
+++ b/pkg/controller/scylladbdatacenter/sync_certs.go
@@ -377,7 +377,7 @@ func (sdcc *Controller) syncCerts(
 					Refresh:  20 * 24 * time.Hour,
 					CertCreator: (&ocrypto.ServingCertCreatorConfig{
 						Subject: pkix.Name{
-							CommonName: "",
+							CommonName: sdc.Name, // Scylla requires non-empty CN for serving certs.
 						},
 						IPAddresses: ipAddresses,
 						DNSNames:    servingDNSNames,
diff --git a/pkg/crypto/certcreators.go b/pkg/crypto/certcreators.go
index ccb21657b03..934bcae229d 100644
--- a/pkg/crypto/certcreators.go
+++ b/pkg/crypto/certcreators.go
@@ -102,5 +102,6 @@ func (c *ServingCertCreatorConfig) ToCreator() *X509CertCreator {
 		IPAddresses: c.IPAddresses,
 		DNSNames:    c.DNSNames,
 		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 }