diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 51756cc77..8ec41344f 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -567,9 +567,11 @@ hx509_cms_envelope_1(hx509_context context,
     if (encryption_type == NULL)
 	encryption_type = oid_id_aes_256_cbc();
 
-    ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE);
-    if (ret)
-	goto out;
+    if ((flags & HX509_CMS_EV_NO_KU_CHECK) == 0) {
+	ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE);
+	if (ret)
+	    goto out;
+    }
 
     ret = hx509_crypto_init(context, NULL, encryption_type, &crypto);
     if (ret)