CSRs generated from the web UI could include Entended Key Usage requests.
I generated CSRs using the web gui to send to our CA, to replace new device certs. The new certs came back without the client-auth Extended Key Usage attribute set. The documentation is quite clear...