diff --git a/sysca/__init__.py b/sysca/__init__.py
index cfc8911..aaac7b5 100644
--- a/sysca/__init__.py
+++ b/sysca/__init__.py
@@ -3,7 +3,7 @@
 
 # pylint: disable=import-outside-toplevel
 
-__version__ = "2.3"
+__version__ = "2.3.1"
 
 
 def _version_info() -> str:
diff --git a/sysca/certinfo.py b/sysca/certinfo.py
index 4dcb89f..1419dad 100644
--- a/sysca/certinfo.py
+++ b/sysca/certinfo.py
@@ -498,7 +498,7 @@ def install_extensions(self,
         builder = builder.add_extension(ext, critical=True)
 
         # KeyUsage, critical
-        ku_args = {k: True in self.usage for k in KU_FIELDS}
+        ku_args = {k: True if k in self.usage else False for k in KU_FIELDS }
         if self.ca:
             ku_args.update(CA_DEFAULTS)
         elif not self.usage:
diff --git a/sysca/keys.py b/sysca/keys.py
index 036423f..6418cd6 100644
--- a/sysca/keys.py
+++ b/sysca/keys.py
@@ -112,7 +112,7 @@ def get_rsa_padding(privkey: IssuerPrivateKeyTypes, ctx: str) -> Optional[paddin
 def get_invalid_key_usage(pubkey: SubjectPublicKeyTypes) -> Sequence[str]:
     """KeyUsage types not supported by key"""
     rsa_legacy = ("key_encipherment", "data_encipherment", "encipher_only", "decipher_only", "key_agreement")
-    if UNSAFE or isinstance(pubkey, rsa.RSAPublicKey):
+    if UNSAFE or not isinstance(pubkey, rsa.RSAPublicKey):
         return ()
     return rsa_legacy