diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 0676c3b7f..1272a426f 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1988,3 +1988,30 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
     hx509_clear_error_string(context);
     return HX509_CERTIFICATE_MISSING_EKU;
 }
+
+int
+_hx509_cert_get_keyusage(hx509_context context,
+			 hx509_cert c,
+			 KeyUsage *ku)
+{
+    Certificate *cert;
+    const Extension *e;
+    size_t size;
+    int ret, i = 0;
+
+    memset(ku, 0, sizeof(*ku));
+
+    cert = _hx509_get_cert(c);
+
+    if (_hx509_cert_get_version(cert) < 3)
+	return 0;
+
+    e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i);
+    if (e == NULL)
+	return HX509_KU_CERT_MISSING;
+    
+    ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, ku, &size);
+    if (ret)
+	return ret;
+    return 0;
+}