diff --git a/Data/X509/Validation.hs b/Data/X509/Validation.hs
--- a/Data/X509/Validation.hs
+++ b/Data/X509/Validation.hs
@@ -43,6 +43,8 @@
     | InvalidName String       -- ^ Invalid name in certificate
     | NameMismatch String      -- ^ connection name and certificate do not match
     | InvalidWildcard          -- ^ invalid wildcard in certificate
+    | LeafKeyUsageNotAllowed   -- ^ the requested key usage is not compatible with the leaf certificate's key usage
+    | LeafNotV3                -- ^ Only authorized an X509.V3 certificate as leaf certificate.
     | EmptyChain               -- ^ empty chain of certificate
     deriving (Show,Eq)
 
@@ -69,6 +71,13 @@
     -- turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious
     -- (e.g. Expired) as other more serious checks would not have been performed.
     , checkExhaustive     :: Bool
+    -- | Check that the leaf certificate is version 3. If disable, version 2 certificate
+    -- is authorized in leaf position and key usage cannot be checked.
+    , checkLeafV3         :: Bool
+    -- | Check that the leaf certificate is authorized to be used for certain usage.
+    -- If set to empty list no check are performed, otherwise all the flags is the list
+    -- need to exists in the key usage extension
+    , checkLeafKeyUsage   :: [ExtKeyUsageFlag]
     -- | Check the top certificate names matching the fully qualified hostname (FQHN).
     -- it's not recommended to turn this check off, if no other name checks are performed.
     , checkFQHN           :: Maybe String
@@ -80,6 +89,9 @@
     } deriving (Show,Eq)
 
 -- | Default checks to perform
+--
+-- It's not recommended to use Nothing as FQDN, doing so
+-- will ignore an important validation parameter check.
 defaultChecks :: Maybe String -- ^ fully qualified host name that we need to match in the certificate
               -> Checks
 defaultChecks fqhn = Checks
@@ -87,6 +99,8 @@
     , checkStrictOrdering = False
     , checkCAConstraints  = True
     , checkExhaustive     = False
+    , checkLeafV3         = True
+    , checkLeafKeyUsage   = [KeyUsage_keyEncipherment]
     , checkFQHN           = fqhn
     }
 
@@ -101,10 +115,13 @@
 validateWith :: Parameters -> CertificateStore -> Checks -> CertificateChain -> IO [FailedReason]
 validateWith _      _     _      (CertificateChain [])           = return [EmptyChain]
 validateWith params store checks (CertificateChain (top:rchain)) =
-    doNameCheck (checkFQHN checks) top |> doCheckChain 0 top rchain
+    doLeafChecks |> doCheckChain 0 top rchain
   where isExhaustive = checkExhaustive checks
         a |> b = exhaustive isExhaustive a b
 
+        doLeafChecks = doNameCheck (checkFQHN checks) top |> doV3Check topCert |> doKeyUsageCheck topCert
+            where topCert = getCertificate top
+
         doCheckChain :: Int -> SignedCertificate -> [SignedCertificate] -> IO [FailedReason]
         doCheckChain level current chain = do
             r <- doCheckCertificate (getCertificate current)
@@ -140,9 +157,9 @@
         checkCA :: Certificate -> [FailedReason]
         checkCA cert
             | allowedSign && allowedCA = []
-            | otherwise                = if allowedSign then [] else [NotAllowedToSign]
-                                      ++ if allowedCA   then [] else [NotAnAuthority]
-          where extensions  = (certExtensions cert)
+            | otherwise                = (if allowedSign then [] else [NotAllowedToSign])
+                                      ++ (if allowedCA   then [] else [NotAnAuthority])
+          where extensions  = certExtensions cert
                 allowedSign = case extensionGet extensions of
                                 Just (ExtKeyUsage flags) -> KeyUsage_keyCertSign `elem` flags
                                 Nothing                  -> True
@@ -151,8 +168,21 @@
                                 _                                 -> False
 
         doNameCheck Nothing     _    = return []
-        doNameCheck (Just fqhn) cert =
-            return (validateCertificateName fqhn (getCertificate cert))
+        doNameCheck (Just fqhn) cert = return (validateCertificateName fqhn (getCertificate cert))
+
+        doV3Check cert
+            | checkLeafV3 checks = case certVersion cert of
+                                        2 {- confusingly it means X509.V3 -} -> return []
+                                        _ -> return [LeafNotV3]
+            | otherwise = return []
+
+        doKeyUsageCheck cert = return $
+            case (certVersion cert, checkLeafKeyUsage checks) of
+                (2, usage) -> if intersect usage flags == usage then [] else [LeafKeyUsageNotAllowed]
+                _          -> []
+          where flags = case extensionGet $ certExtensions cert of
+                            Just (ExtKeyUsage keyflags) -> keyflags
+                            Nothing                     -> []
 
         doCheckCertificate cert =
             exhaustiveList (checkExhaustive checks)
diff --git a/x509-validation.cabal b/x509-validation.cabal
--- a/x509-validation.cabal
+++ b/x509-validation.cabal
@@ -1,5 +1,5 @@
 Name:                x509-validation
-Version:             1.4.5
+Version:             1.4.6
 Description:         X.509 Certificate and CRL validation
 License:             BSD3
 License-file:        LICENSE
