diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index d55035d28..c934e5a14 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1674,6 +1674,16 @@ https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt
     return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
 }
 
+static int
+https_negotiate_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+{
+    int ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
+    if (ret == 0)
+        ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+    opt->pkinit++;
+    return ret;
+}
+
 static int
 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
@@ -1747,6 +1757,11 @@ struct {
 	"Certificates used for Kerberos PK-INIT KDC certificates",
 	pkinit_kdc
     },
+    {
+	"https-negotiate-server",
+	"Used for HTTPS server and many other TLS server certificate types",
+	https_negotiate_server
+    },
     {
 	"peap-server",
 	"Certificate used for Radius PEAP (Protected EAP)",