diff --git a/authority/tls.go b/authority/tls.go
index e64bb5fa..b7531ce3 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -786,7 +786,7 @@ func (a *Authority) GenerateCertificateRevocationList() error {
 	// Note that this is currently using the port 443 by default.
 	if b, err := marshalDistributionPoint(fullName, false); err == nil {
 		revocationList.ExtraExtensions = []pkix.Extension{
-			{Id: oidExtensionIssuingDistributionPoint, Value: b},
+			{Id: oidExtensionIssuingDistributionPoint, Critical: true, Value: b},
 		}
 	}