It seems there’s no way to control which extensions are marked critical in client certificates generated by Vault PKI. X509v3 Key Usage and X509v3 Basic Constraints get marked as critical, and Extended Key Usage does not. I’m working with an external requirement that Extended Key Usage be critical. Has this come up before? I can’t seem to find any discussion of this.