diff --git a/src/cryptoki.cxx b/src/cryptoki.cxx
index 16a228c..e518146 100644
--- a/src/cryptoki.cxx
+++ b/src/cryptoki.cxx
@@ -242,14 +242,12 @@ namespace cryptoki {
   //----------------------------------------------------------------------------
   Object Session::create(const openssl::X509& cert) {
     AttributeList attrs;
-    /*
     attrs.push_back(Attribute(CKA_CLASS)
                     .from<CK_OBJECT_CLASS>(CKO_CERTIFICATE));
     attrs.push_back(Attribute(CKA_CERTIFICATE_TYPE)
                     .from<CK_CERTIFICATE_TYPE>(CKC_X_509));
-    attrs.push_back(Attribute(CKA_SUBJECT, derSubject));
-    attrs.push_back(Attribute(CKA_VALUE, desValue));
-        */
+    attrs.push_back(Attribute(CKA_SUBJECT, cert.subjectDER()));
+    attrs.push_back(Attribute(CKA_VALUE, cert.valueDER()));
     return create(attrs);
   }
   Object Session::create(const openssl::PrivateKey& key) {
diff --git a/src/openssl.hxx b/src/openssl.hxx
index 578c91b..861f92d 100644
--- a/src/openssl.hxx
+++ b/src/openssl.hxx
@@ -338,6 +338,20 @@ namespace openssl {
         return std::string((char*)M_ASN1_STRING_data(cn),
                            M_ASN1_STRING_length(cn));
       }
+      //! Check for basic constraints.
+      /*! e.g. check for CA certificate:
+          @code
+          if (x509.basicConstraints() && x509.basicConstraints()->ca) [...]
+          @endcode
+          @return 0 if there are no basic constraints */
+      BASIC_CONSTRAINTS* basicConstraints() {
+        static BASIC_CONSTRAINTS* bc(0);
+        if (!bc) {
+          int pos(X509_get_ext_by_NID(_x509, NID_basic_constraints, -1));
+          if (pos>=0) bc = X509V3_EXT_d2i(X509_get_ext(_x509, pos));
+        }
+        return bc;
+      }
       //! Get organizational unit name.
       std::string organizationalUnitName() const {
         X509_NAME *name(X509_get_subject_name(_x509));
@@ -349,6 +363,16 @@ namespace openssl {
         return std::string((char*)M_ASN1_STRING_data(cn),
                            M_ASN1_STRING_length(cn));
       }
+      //! Get key usage flags.
+      std::string keyUsageFlags() const {
+        int pos(X509_get_ext_by_NID(_x509, NID_key_usage, -1));
+        if (pos>=0) {
+          ASN1_BIT_STRING ku(d2i(X509_get_ext(_x509, pos)));
+          return std::string((char*)M_ASN1_STRING_data(ku),
+                             M_ASN1_STRING_lengthku));
+        else
+          return std::string(); //! @todo better throw exception?
+      }
     private:
       ::X509* _x509;
   };