Generating HSM Protected keys & CSR - request extensions

We have an F5 BIG-IP VE that uses the Thales nShield connect solution, we are using the fipskey.nethsm utility to generate HSM protected keys and corresponding CSR.

 

The end user certificate needs to contain x509v3 extensions, specifically the following:

 

keyUsage = digitalSignature, keyEncipherment, KeyAgreement

 

extendedKeyUsage = serverAuth, clientAuth

 

If I were using OpenSSL to generate the CSR I would simply edit the openssl.cnf file to include these extensions. My question is – how can I include these request extensions when using the fipskey.nethsm utility?