diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate.go b/vault/resource_pki_secret_backend_root_sign_intermediate.go
index dd1de5c405..92873110aa 100644
--- a/vault/resource_pki_secret_backend_root_sign_intermediate.go
+++ b/vault/resource_pki_secret_backend_root_sign_intermediate.go
@@ -115,6 +115,15 @@ func pkiSecretBackendRootSignIntermediateResource() *schema.Resource {
 				ForceNew:    true,
 				Default:     -1,
 			},
+			consts.FieldKeyUsage: {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Specify the key usages to be added to the existing set of key usages, CRL,CertSign, on the generated certificate.",
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			consts.FieldExcludeCNFromSans: {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -361,6 +370,7 @@ func pkiSecretBackendRootSignIntermediateCreate(ctx context.Context, d *schema.R
 		consts.FieldURISans,
 		consts.FieldOtherSans,
 		consts.FieldPermittedDNSDomains,
+		consts.FieldKeyUsage,
 	}
 
 	// Whether name constraints fields (other than permitted_dns_domains), are supproted,
diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
index 229ad47def..cffe5ddafa 100644
--- a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
+++ b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
@@ -202,6 +202,25 @@ func TestPkiSecretBackendRootSignIntermediate_basic_default(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldUsePSS, "true"),
 				),
 			},
+			{
+				SkipFunc: skip(provider.VaultVersion118),
+				Config: testPkiSecretBackendRootSignIntermediateConfig_basic(rootPath, intermediatePath, false,
+					`key_usage = ["DigitalSignature", "CertSign"]`),
+				Check: resource.ComposeTestCheckFunc(
+					checks,
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".#", "2"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".0", "DigitialSignature"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".1", "CertSign"),
+					testPKICert(resourceName, func(cert *x509.Certificate) error {
+						if 0 == cert.KeyUsage&x509.KeyUsageKeyAgreement || 0 == cert.KeyUsage&x509.KeyUsageCertSign {
+							return fmt.Errorf("KeyUsage expected %b, got %b",
+								x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign|x509.KeyUsageCRLSign,
+								cert.KeyUsage)
+						}
+						return nil
+					}),
+				),
+			},
 		},
 	})
 }