diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp
index 7543d7e..2aae7c4 100644
--- a/manifests/certificate/x509.pp
+++ b/manifests/certificate/x509.pp
@@ -184,7 +184,7 @@
     csr      => $csr,
     days     => $days,
     password => $password,
-    req_ext  => !empty($altnames) and !empty($extkeyusage),
+    req_ext  => !empty($altnames) or !empty($extkeyusage),
     force    => $force,
     ca       => $ca,
     cakey    => $cakey,
diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb
index e2df33d..c3b42d3 100644
--- a/spec/defines/openssl_certificate_x509_spec.rb
+++ b/spec/defines/openssl_certificate_x509_spec.rb
@@ -422,6 +422,86 @@
     }
   end
 
+  context 'when passing altnames, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        altnames: ['bar.example.com'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'when passing extkeyusage, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        extkeyusage: ['clientauth'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'when passing altnames and extkeyusage, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        extkeyusage: ['clientauth'],
+        altnames: ['bar.example.com'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'w/o passing altnames and extkeyusage, extension is disabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: false
+      )
+    }
+  end
+
   context 'when passing all parameters' do
     let(:params) do
       {