diff --git a/frontend/editstruct.go b/frontend/editstruct.go
index 9cb66e5..302df08 100644
--- a/frontend/editstruct.go
+++ b/frontend/editstruct.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"crypto/x509"
 	"fmt"
-	"log"
 	"strings"
 	"text/template"
 
@@ -95,7 +94,7 @@ func makeTemplate(tmplstr string) (*template.Template, error) {
 					return "# "
 				},
 				"TestKeyUsageBit": func(bitName string, ku x509.KeyUsage) bool {
-					bit, err := keyusage.BitNameToKeyUsage(bitName)
+					bit, err := keyusage.KeyUsageFromString(bitName)
 					if err != nil {
 						panic(err)
 					}
@@ -103,17 +102,9 @@ func makeTemplate(tmplstr string) (*template.Template, error) {
 					return (ku & bit) != 0
 				},
 				"HasExtKeyUsage": func(ekuName string, ekus []x509.ExtKeyUsage) bool {
-					// FIXME[P3]: move this logic to keyusage
-					var eku x509.ExtKeyUsage
-					switch ekuName {
-					case "any":
-						eku = x509.ExtKeyUsageAny
-					case "clientAuth":
-						eku = x509.ExtKeyUsageClientAuth
-					case "serverAuth":
-						eku = x509.ExtKeyUsageServerAuth
-					default:
-						log.Panicf("unknown ekuName %q", ekuName)
+					eku, err := keyusage.ExtKeyUsageFromString(ekuName)
+					if err != nil {
+						panic(err)
 					}
 					for _, e := range ekus {
 						if e == eku {
diff --git a/keyusage/keyusage.go b/keyusage/keyusage.go
index af26647..5be1470 100644
--- a/keyusage/keyusage.go
+++ b/keyusage/keyusage.go
@@ -71,7 +71,7 @@ func PresetFromString(s string) (KeyUsage, error) {
 	}
 }
 
-func BitNameToKeyUsage(bitName string) (x509.KeyUsage, error) {
+func KeyUsageFromString(bitName string) (x509.KeyUsage, error) {
 	// FIXME[P2]: Support more
 	switch bitName {
 	case "keyEncipherment":
@@ -83,6 +83,20 @@ func BitNameToKeyUsage(bitName string) (x509.KeyUsage, error) {
 	}
 }
 
+func ExtKeyUsageFromString(ekuName string) (x509.ExtKeyUsage, error) {
+	// FIXME[P2]: Support more
+	switch ekuName {
+	case "any":
+		return x509.ExtKeyUsageAny, nil
+	case "clientAuth":
+		return x509.ExtKeyUsageClientAuth, nil
+	case "serverAuth":
+		return x509.ExtKeyUsageServerAuth, nil
+	default:
+		return x509.ExtKeyUsage(0), fmt.Errorf("unknown ekuName %q", ekuName)
+	}
+}
+
 func (u *KeyUsage) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	var yku yamlKeyUsage
 	if err := unmarshal(&yku); err != nil {
@@ -107,7 +121,7 @@ func (u *KeyUsage) UnmarshalYAML(unmarshal func(interface{}) error) error {
 
 	u.KeyUsage = x509.KeyUsage(0)
 	for _, ku := range yku.KeyUsage {
-		bit, err := BitNameToKeyUsage(ku)
+		bit, err := KeyUsageFromString(ku)
 		if err != nil {
 			return err
 		}
@@ -116,16 +130,15 @@ func (u *KeyUsage) UnmarshalYAML(unmarshal func(interface{}) error) error {
 
 	foundAny := false
 	u.ExtKeyUsages = []x509.ExtKeyUsage{}
-	for _, eku := range yku.ExtKeyUsage {
-		// FIXME[P2]: Support more
+	for _, ekustr := range yku.ExtKeyUsage {
+		eku, err := ExtKeyUsageFromString(ekustr)
+		if err != nil {
+			return err
+		}
 
-		if eku == "any" {
+		u.ExtKeyUsages = append(u.ExtKeyUsages, eku)
+		if eku == x509.ExtKeyUsageAny {
 			foundAny = true
-			u.ExtKeyUsages = append(u.ExtKeyUsages, x509.ExtKeyUsageAny)
-		} else if eku == "clientAuth" {
-			u.ExtKeyUsages = append(u.ExtKeyUsages, x509.ExtKeyUsageClientAuth)
-		} else if eku == "serverAuth" {
-			u.ExtKeyUsages = append(u.ExtKeyUsages, x509.ExtKeyUsageServerAuth)
 		}
 	}
 	if foundAny && len(u.ExtKeyUsages) > 1 {