diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 6fa0b1417..0131f353b 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1132,6 +1132,8 @@ crypto_available(struct crypto_available_options *opt, int argc, char **argv)
 	    type = HX509_SELECT_DIGEST;
 	else if (strcmp(opt->type_string, "public-sig") == 0)
 	    type = HX509_SELECT_PUBLIC_SIG;
+	else if (strcmp(opt->type_string, "secret") == 0)
+	    type = HX509_SELECT_SECRET_ENC;
 	else
 	    errx(1, "unknown type: %s", opt->type_string);
     } else
@@ -1559,6 +1561,11 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
     }
+    if (opt->domain_controller_flag) {
+	hx509_ca_tbs_set_domaincontroller(context, tbs);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
+    }
 
     if (delta) {
 	ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);