diff --git a/x509-cert/src/builder.rs b/x509-cert/src/builder.rs
index c2d84154a..213307cdb 100644
--- a/x509-cert/src/builder.rs
+++ b/x509-cert/src/builder.rs
@@ -248,7 +248,6 @@ where
     /// Creates a new certificate builder
     pub fn new<Signature>(
         profile: Profile,
-        version: Version,
         serial_number: SerialNumber,
         mut validity: Validity,
         subject: Name,
@@ -270,7 +269,7 @@ where
         validity.not_after.rfc5280_adjust_utc_time()?;
 
         let mut tbs = TbsCertificate {
-            version,
+            version: Version::V3,
             serial_number,
             signature: signature_alg,
             issuer,
@@ -288,15 +287,13 @@ where
             subject_unique_id: None,
         };
 
-        if tbs.version == Version::V3 {
-            let extensions = profile.build_extensions(
-                tbs.subject_public_key_info.owned_to_ref(),
-                signer_pub.owned_to_ref(),
-                &tbs,
-            )?;
-            if !extensions.is_empty() {
-                tbs.extensions = Some(extensions);
-            }
+        let extensions = profile.build_extensions(
+            tbs.subject_public_key_info.owned_to_ref(),
+            signer_pub.owned_to_ref(),
+            &tbs,
+        )?;
+        if !extensions.is_empty() {
+            tbs.extensions = Some(extensions);
         }
 
         Ok(Self { tbs, signer })
@@ -319,11 +316,18 @@ where
     }
 
     /// Run the certificate through the signer and build the end certificate.
-    pub fn build<Signature>(self) -> Result<Certificate>
+    pub fn build<Signature>(mut self) -> Result<Certificate>
     where
         S: Signer<Signature>,
         Signature: SignatureEncoding,
     {
+        if self.tbs.extensions.is_none() {
+            if self.tbs.issuer_unique_id.is_some() || self.tbs.subject_unique_id.is_some() {
+                self.tbs.version = Version::V2;
+            } else {
+                self.tbs.version = Version::V1;
+            }
+        }
         let signature = self.signer.try_sign(&self.tbs.to_der()?)?;
         let signature = BitString::from_bytes(signature.to_bytes().as_ref())?;
 
diff --git a/x509-cert/tests/builder.rs b/x509-cert/tests/builder.rs
index 143a0e232..57d9ce710 100644
--- a/x509-cert/tests/builder.rs
+++ b/x509-cert/tests/builder.rs
@@ -9,7 +9,6 @@ use spki::SubjectPublicKeyInfoOwned;
 use std::{str::FromStr, time::Duration};
 use x509_cert::{
     builder::{CertificateBuilder, Profile},
-    certificate::Version,
     name::Name,
     serial_number::SerialNumber,
     time::Validity,
@@ -32,16 +31,9 @@ fn root_ca_certificate() {
         SubjectPublicKeyInfoOwned::try_from(RSA_2048_DER_EXAMPLE).expect("get rsa pub key");
 
     let signer = rsa_signer();
-    let builder = CertificateBuilder::new(
-        profile,
-        Version::V3,
-        serial_number,
-        validity,
-        subject,
-        pub_key,
-        &signer,
-    )
-    .expect("Create certificate");
+    let builder =
+        CertificateBuilder::new(profile, serial_number, validity, subject, pub_key, &signer)
+            .expect("Create certificate");
 
     let certificate = builder.build().unwrap();
 
@@ -78,7 +70,6 @@ fn sub_ca_certificate() {
     let signer = ecdsa_signer();
     let builder = CertificateBuilder::new::<ecdsa::Signature<NistP256>>(
         profile,
-        Version::V3,
         serial_number,
         validity,
         subject,
@@ -130,7 +121,6 @@ fn leaf_certificate() {
     let signer = ecdsa_signer();
     let builder = CertificateBuilder::new::<ecdsa::Signature<NistP256>>(
         profile,
-        Version::V3,
         serial_number,
         validity,
         subject,