You "should" also update your CPS:
keyUsage. This extension is present and marked critical. Bit positions for digitalSignature and
keyEncipherment are set
But keyEncipherment
isn't set for ECDSA certificates:
Might wanna look into that
Actually, from reading the CP, the CPS is the most logical choice to put the TLS Feature Extension too I think.