diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index ba7d0afe5..b84d7d3b7 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -933,8 +933,15 @@ class NSSDatabase:
                 raise ValueError("subject key identifier must not be empty")
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
-                              capture_output=True)
+            self.run_certutil(
+                [
+                    '-V',       # check validity of cert and attrs
+                    '-n', nickname,
+                    '-u', 'L',  # usage; 'L' means "SSL CA"
+                    '-e',       # check signature(s); this checks
+                                # key sizes, sig algorithm, etc.
+                ],
+                capture_output=True)
         except ipautil.CalledProcessError as e:
             # certutil output in case of error is
             # 'certutil: certificate is invalid: <ERROR_STRING>\n'