diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index f37aeccf0d..f212cd29f1 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -382,14 +382,32 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
  * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH).
  * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
  *
- * \return         0 if this use of the certificate is allowed,
- *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ * \return         0 if this use of the certificate is allowed or the extension
+ *                 is not present, otherwise MBEDTLS_ERR_X509_BAD_INPUT_DATA.
  *
  * \note           Usually only makes sense on leaf certificates.
  */
 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
                                        const char *usage_oid,
                                        size_t usage_len );
+
+/**
+ * \brief           Check usage of certificate against extentedKeyUsage.
+ *
+ * \param crt       Leaf certificate used.
+ * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
+ *                  MBEDTLS_OID_CLIENT_AUTH).
+ * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
+ *
+ * \return          0 if this use of the certificate is allowed, or
+ *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if the extension is not
+ *                  present or the usage is not allowed.
+ *
+ * \note           Usually only makes sense on leaf certificates.
+ */
+int mbedtls_x509_crt_check_extended_key_usage_ext( const mbedtls_x509_crt *crt,
+                                                   const char *usage_oid,
+                                                   size_t usage_len );
 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 1136ff7712..c52cc5a90f 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1799,6 +1799,18 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
 
     return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
 }
+
+int mbedtls_x509_crt_check_extended_key_usage_ext( const mbedtls_x509_crt *crt,
+                                                   const char *usage_oid,
+                                                   size_t usage_len )
+{
+    /* Extension is not mandatory, absent means no restriction */
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    return( mbedtls_x509_crt_check_extended_key_usage( crt, usage_oid,
+                                                       usage_len ) );
+}
 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index 866244f668..99c7902478 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -1548,7 +1548,7 @@ static int x509_ocsp_verify_response_issuer(
 
 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
     /* Check that the issuer includes the value of id-kp-OCSPSigning */
-    if( ( ret = mbedtls_x509_crt_check_extended_key_usage( issuer,
+    if( ( ret = mbedtls_x509_crt_check_extended_key_usage_ext( issuer,
                         MBEDTLS_OID_OCSP_SIGNING,
                         MBEDTLS_OID_SIZE( MBEDTLS_OID_OCSP_SIGNING ) ) ) != 0 )
     {