Comment1:
Section7.1.2 CA Certificates:
I recommend you to set only keyCertSign and cRLSign in keyUsage.

Grid Certificate Profile guidelines describes,
------------------
2.4.2
It is RECOMMENDED to set no more than these two attributes.
For proper operation it is not required to have more than keyCertSign and cRLSign in
the CA certificate and adding additional attributes may convey an incorrect impression
to relying parties.
-----------------

Comment2:
Section7.1.2 Host Certificates:
I recommend you to remove nonRepudation value in keyUsage.

Grid Certificate Profile guidelines describes,
------------------
3.3.2
The nonRepudation value SHOULD NOT be set for server certificates (including "host"
and "service" certificates), as it implies that any use of the key would constitute
incontrovertible evidence that the signing was done in a conscious way, which is
unlikely for a server certificate. Its assertion in personal end-entity certificates
SHOULD be limited to special purposes.
-------------------