Even it complicates things, use an intermediate server cert and let CA cert only have KeyUsageCertSign (KeyUsageDigitalSignature might also be required). Leave key encipherment, client/server validation, etc. key usage flags to the intermediate certificate.
Also publishing a CRL and using OCSP would be useful in case of a server cert is compromised.
Even it complicates things, use an intermediate server cert and let CA cert only have
KeyUsageCertSign
(KeyUsageDigitalSignature
might also be required). Leave key encipherment, client/server validation, etc. key usage flags to the intermediate certificate.Also publishing a CRL and using OCSP would be useful in case of a server cert is compromised.