diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
index 8811976d9a..85c4f440c4 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@@ -2,7 +2,6 @@ package net.corda.nodeapi.internal.crypto
 
 import net.corda.core.CordaOID
 import net.corda.core.crypto.Crypto
-import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.random63BitValue
 import net.corda.core.internal.*
 import net.corda.core.utilities.days
@@ -396,45 +395,34 @@ class X509CertificateFactory {
 enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurposeId, val isCA: Boolean, val role: CertRole?) {
     ROOT_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
-            KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = null
     ),
 
     INTERMEDIATE_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.DOORMAN_CA
     ),
 
     NETWORK_MAP(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.NETWORK_MAP
     ),
 
     SERVICE_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.SERVICE_IDENTITY
     ),
 
     NODE_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.NODE_CA
     ),
@@ -443,7 +431,6 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyEncipherment or KeyUsage.keyAgreement),
             KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.TLS
     ),
@@ -451,24 +438,21 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
     // TODO: Identity certs should have tight name constraints on child certificates
     LEGAL_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.LEGAL_IDENTITY
     ),
 
     CONFIDENTIAL_LEGAL_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.CONFIDENTIAL_LEGAL_IDENTITY
     ),
 
     NETWORK_PARAMETERS(
             KeyUsage(KeyUsage.digitalSignature),
+            KeyPurposeId.id_kp_clientAuth,
             isCA = false,
             role = CertRole.NETWORK_PARAMETERS
     )