diff --git a/src/electronic-ids/x509.hpp b/src/electronic-ids/x509.hpp
index 9d04b6d..79e8fd0 100644
--- a/src/electronic-ids/x509.hpp
+++ b/src/electronic-ids/x509.hpp
@@ -52,10 +52,14 @@ inline CertificateType certificateType(const pcsc_cpp::byte_vector& cert)
 
     static const int KEY_USAGE_DIGITAL_SIGNATURE = 0;
     if (ASN1_BIT_STRING_get_bit(keyUsage.get(), KEY_USAGE_DIGITAL_SIGNATURE)) {
-        if (auto extKeyUsage = extension(x509.get(), NID_ext_key_usage, EXTENDED_KEY_USAGE_free);
-            extKeyUsage && hasClientAuthExtendedKeyUsage(extKeyUsage.get())) {
-            return CertificateType::AUTHENTICATION;
+        if (auto extKeyUsage = extension(x509.get(), NID_ext_key_usage, EXTENDED_KEY_USAGE_free)) {
+            return hasClientAuthExtendedKeyUsage(extKeyUsage.get())
+                ? CertificateType::AUTHENTICATION
+                : CertificateType::NONE;
         }
+        // Digital Signature extension present, but Extended Key Usage extension not present,
+        // assume it is an authentication certificate (e.g. Luxembourg eID).
+        return CertificateType::AUTHENTICATION;
     }
 
     return CertificateType::NONE;
diff --git a/tests/mock/test-pkcs11-token.cpp b/tests/mock/test-pkcs11-token.cpp
index 503d154..bd012ed 100644
--- a/tests/mock/test-pkcs11-token.cpp
+++ b/tests/mock/test-pkcs11-token.cpp
@@ -88,6 +88,7 @@ TEST(electronic_id_test, pkcs11TokenHasAuthenticationCert)
     PKCS11CardManager::Token token;
     token.cert = base64Decode(AUTH_CERT);
     EXPECT_TRUE(certificateType(token.cert).isAuthentication());
+    EXPECT_FALSE(certificateType(token.cert).isSigning());
 }
 
 TEST(electronic_id_test, pkcs11TokenHasSigningCert)
@@ -95,4 +96,5 @@ TEST(electronic_id_test, pkcs11TokenHasSigningCert)
     PKCS11CardManager::Token token;
     token.cert = base64Decode(SIGNING_CERT);
     EXPECT_FALSE(certificateType(token.cert).isAuthentication());
+    EXPECT_TRUE(certificateType(token.cert).isSigning());
 }