diff --git a/scripts/initialize-user-and-keys.sh b/scripts/initialize-user-and-keys.sh
index 98bf99e9b6fa612f6e1aec60122873ca55948e47..9b030f893e26dd85a29f92ac52dd7e3343bb77fe 100755
--- a/scripts/initialize-user-and-keys.sh
+++ b/scripts/initialize-user-and-keys.sh
@@ -23,19 +23,19 @@ function create_default_admin {
 function create_default_x509_ca {
   echo "start to create default x509 CA identified with default-x509"
   RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ca --description "used for test purpose only" --key-type x509ca --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \
-  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --visibility public
+  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra CA" --digest-algorithm sha2_256 --visibility public
 }
 
 function create_default_x509_ica {
   echo "start to create default x509 ICA identified with default-x509"
   RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ica --description "used for test purpose only" --key-type x509ica --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \
-  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --param-x509-parent-name default-x509ca --visibility public
+  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra ICA" --digest-algorithm sha2_256 --param-x509-parent-name default-x509ca --visibility public
 }
 
 function create_default_x509_ee {
   echo "start to create default x509 EE certificate identified with default-x509"
   RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-x509ee --description "used for test purpose only" --key-type x509ee --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 \
-  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit Infra --digest-algorithm sha2_256 --param-x509-parent-name default-x509ica --visibility public
+  --param-x509-common-name Infra --param-x509-organization Huawei --param-x509-locality ShenZhen --param-x509-province-name GuangDong --param-x509-country-name CN --param-x509-organizational-unit "Infra EE" --digest-algorithm sha2_256 --param-x509-parent-name default-x509ica --visibility public
 }
 
 function create_default_openpgp_rsa {
diff --git a/src/infra/sign_plugin/x509.rs b/src/infra/sign_plugin/x509.rs
index 2362b7eb05a1f5521719e7edc6a7fc1a373fa465..99e82a1033c4f588d4dc7d09d89c475b6f7aace7 100644
--- a/src/infra/sign_plugin/x509.rs
+++ b/src/infra/sign_plugin/x509.rs
@@ -30,7 +30,7 @@ use openssl::pkey::PKey;
 use openssl::stack::Stack;
 use openssl::x509;
 use openssl::x509::extension::{
-    AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectKeyIdentifier,
+    AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectKeyIdentifier,
 };
 use openssl::x509::{X509Crl, X509Extension};
 use openssl_sys::{
@@ -329,12 +329,13 @@ impl X509Plugin {
                 .critical()
                 .build()?,
         )?;
-        generator.append_extension(X509Extension::new_nid(
-            None,
-            None,
-            Nid::CRL_DISTRIBUTION_POINTS,
-            &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?,
-        )?)?;
+        //NOTE: sbverify for EFI file will fail, enable when fixed
+        // generator.append_extension(X509Extension::new_nid(
+        //     None,
+        //     None,
+        //     Nid::CRL_DISTRIBUTION_POINTS,
+        //     &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?,
+        // )?)?;
         generator.append_extension(X509Extension::new_nid(
             None,
             None,
@@ -432,12 +433,14 @@ impl X509Plugin {
                 .critical()
                 .build()?,
         )?;
-        generator.append_extension(X509Extension::new_nid(
-            None,
-            None,
-            Nid::CRL_DISTRIBUTION_POINTS,
-            &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?,
-        )?)?;
+        generator.append_extension(ExtendedKeyUsage::new().code_signing().build()?)?;
+        //NOTE: sbverify for EFI file will fail, enable when fixed
+        // generator.append_extension(X509Extension::new_nid(
+        //     None,
+        //     None,
+        //     Nid::CRL_DISTRIBUTION_POINTS,
+        //     &self.generate_crl_endpoint(&self.parent_key.clone().unwrap().name, infra_config)?,
+        // )?)?;
         generator.append_extension(X509Extension::new_nid(
             None,
             None,