p11-kit allows certificate extensions stored as a separate object as CKO_X_CERTIFICATE_EXTENSION, which can be later attached to CKO_CERTIFICATE. This makes it easy for administrators to put additional constraints to the certificate, as described in:
https://nikmav.blogspot.com/2016/06/restricting-scope-of-ca-certificates.html
p11tool (GnuTLS) provides --export-stapled option to export a certificate with all such extensions attached. p11-kit export-object could also support that.
p11-kit allows certificate extensions stored as a separate object as CKO_X_CERTIFICATE_EXTENSION, which can be later attached to CKO_CERTIFICATE. This makes it easy for administrators to put additional constraints to the certificate, as described in: https://nikmav.blogspot.com/2016/06/restricting-scope-of-ca-certificates.html
p11tool (GnuTLS) provides
--export-stapled
option to export a certificate with all such extensions attached.p11-kit export-object
could also support that.