diff --git a/ra/ra.go b/ra/ra.go
index bfd2386efe9..e5e94e36cbe 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -764,7 +764,12 @@ func (ra *RegistrationAuthorityImpl) matchesCSR(parsedCertificate *x509.Certific
 	if parsedCertificate.IsCA {
 		return berrors.InternalServerError("generated certificate can sign other certificates")
 	}
-	if !slices.Equal(parsedCertificate.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
+	for _, eku := range parsedCertificate.ExtKeyUsage {
+		if eku != x509.ExtKeyUsageServerAuth && eku != x509.ExtKeyUsageClientAuth {
+			return berrors.InternalServerError("generated certificate doesn't have correct key usage extensions")
+		}
+	}
+	if !slices.Contains(parsedCertificate.ExtKeyUsage, x509.ExtKeyUsageServerAuth) {
 		return berrors.InternalServerError("generated certificate doesn't have correct key usage extensions")
 	}