Test X509 certificates with a non-empty EKU section with critical
flag set. This fails verification on NSS 3.41 using the IPsec profile,
and requires working fallback to the NSS TLS profile for verification.