diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index d82854df..bab79f4c 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -120,23 +120,32 @@ cac_alg_flags_from_algorithm(int algorithm)
 	return 0;
 }
 
+#define SC_X509_DIGITAL_SIGNATURE     0x0001UL
+#define SC_X509_NON_REPUDIATION       0x0002UL
+#define SC_X509_KEY_ENCIPHERMENT      0x0004UL
+#define SC_X509_DATA_ENCIPHERMENT     0x0008UL
+#define SC_X509_KEY_AGREEMENT         0x0010UL
+#define SC_X509_KEY_CERT_SIGN         0x0020UL
+#define SC_X509_CRL_SIGN              0x0040UL
+#define SC_X509_SIGN_ONLY             0x0080UL
+#define SC_X509_DECIPHER_ONLY         0x0100UL
 
 /* These are the cert key usage bits that map to various PKCS #11 (and thus PKCS #15) flags */
-#define CAC_X509_USAGE_SIGNATURE		\
-	(SC_PKCS15INIT_X509_DIGITAL_SIGNATURE	| \
-	SC_PKCS15INIT_X509_NON_REPUDIATION	| \
-	SC_PKCS15INIT_X509_KEY_CERT_SIGN 	| \
-	SC_PKCS15INIT_X509_CRL_SIGN)
-#define CAC_X509_USAGE_DERIVE			\
-	SC_PKCS15INIT_X509_KEY_AGREEMENT
-#define CAC_X509_USAGE_UNWRAP 			\
-	(SC_PKCS15INIT_X509_KEY_ENCIPHERMENT	| \
-	SC_PKCS15INIT_X509_KEY_AGREEMENT)
-#define CAC_X509_USAGE_DECRYPT			\
-	(SC_PKCS15INIT_X509_DATA_ENCIPHERMENT 	\
-	/* | encipher? */)
-#define CAC_X509_USAGE_NONREPUDIATION		\
-	SC_PKCS15INIT_X509_NON_REPUDIATION
+#define CAC_X509_USAGE_SIGNATURE \
+	(SC_X509_DIGITAL_SIGNATURE | \
+	SC_X509_NON_REPUDIATION    | \
+	SC_X509_KEY_CERT_SIGN      | \
+	SC_X509_CRL_SIGN)
+#define CAC_X509_USAGE_DERIVE \
+	SC_X509_KEY_AGREEMENT
+#define CAC_X509_USAGE_UNWRAP \
+	(SC_X509_KEY_ENCIPHERMENT | \
+	SC_X509_KEY_AGREEMENT)
+#define CAC_X509_USAGE_DECRYPT \
+	(SC_X509_DATA_ENCIPHERMENT | \
+	SC_X509_SIGN_ONLY)
+#define CAC_X509_USAGE_NONREPUDIATION \
+	SC_X509_NON_REPUDIATION
 
 /* map a cert usage and algorithm to public and private key usages */
 static int