we have a CA certificate template to verify, which contains an extendedkeyusage extension with the following values
Is this a mistake or is there really a usecase for extendedkeyusage in a CA certificate?
CA certificate itself is never used during authentication, instead it is used for chain validation (I'm not talking about signing). In most cases, applications check particular EKU presence in end-entity certificate only. Thus, EKU presence in CA certificate has no effect.
There are known vendor-specific implementations when EKU in CA certificate has effect. This is called "constrained EKU", when application verifies whether particular EKU is valid for entire certificate chain and reject the certificate if particular EKU is presented in end entity certificate, but not specified on CA level in non-empty EKU extension.
For more details, please read my blog post about constrained EKU implementation in Microsoft certificate chaining engine: https://www.sysadmins.lv/blog-en/constraining-extended-key-usages-in-microsoft-windows.aspx
very brief explanation, in this thread: Root CA with Extended Key Usage fields
