$ openssl s_client -connect seeklay.icu:443 -servername seeklay.icu | openssl x509 -text
    ...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, ST=Some-State, L=Copenhavn, O=HGZ, OU=HGZ ROOT CA, CN=HGZ ROOT CA
        ...
        Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd, CN=seeklay.icu
        ...
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                0.
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:seeklay.icu
            X509v3 Authority Key Identifier: 
                0.
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:seeklay.icu

This certificate is wrong in multiple areas:

• Duplicate extensions, i.e. Authority Key Identifier, Basic Constraints, Key Usage and Subject Alternative Names are all twice in the certificate. They MUST be included at most once. These duplicate extensions causes undefined behavior in certificate parsers: the might completely fail, ignore the extensions which have a duplicate one, take only the first or only the second ..
• Key usage of Digital Signature supports only DHE/ECDHE key exchange, even though the server configuration also supports RSA key exchange - in which case KeyEncipherment would be needed too. See Which key usages are required by each key exchange method?.
• Basic Constraints should be a critical extension
• The Authority Key Identifier of 0. is just wrong. It should be a unique identifier.
• The CA is not trusted by default (might be trusted by explicitly importing it).