diff --git a/lib/asn1/rfc2459.asn1 b/lib/asn1/rfc2459.asn1
index 6094cf383..f7aee8b37 100644
--- a/lib/asn1/rfc2459.asn1
+++ b/lib/asn1/rfc2459.asn1
@@ -617,8 +617,9 @@ id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 }
 id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::=
     { 1 3 6 1 4 1 311 20 2 }
 
-id-ms-client-authentication OBJECT IDENTIFIER ::=
- { 1 3 6 1 5 5 7 3 2 }
+-- This is a duplicate of id-pkix-kp-clientAuth
+--  id-ms-client-authentication OBJECT IDENTIFIER ::=
+--  { 1 3 6 1 5 5 7 3 2 }
 
 -- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
 
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index fec71fe23..d0c232392 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1704,7 +1704,7 @@ pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *op
     if (ret)
 	return ret;
 
-    ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
+    ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_clientAuth);
     if (ret)
 	return ret;