diff --git a/apps/emqx/src/emqx_const_v2.erl b/apps/emqx/src/emqx_const_v2.erl
index a3b7980ff..0d95cf43c 100644
--- a/apps/emqx/src/emqx_const_v2.erl
+++ b/apps/emqx/src/emqx_const_v2.erl
@@ -49,8 +49,8 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
     end.
 
 make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
-    AllowedKeyUsages = ext_key_opts(KeyUsages),
-    {fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.
+    RequiredKeyUsages = ext_key_opts(KeyUsages),
+    {fun verify_fun_peer_extKeyUsage/3, RequiredKeyUsages}.
 
 verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
     %% !! Override OTP verify peer default
@@ -69,17 +69,17 @@ verify_fun_peer_extKeyUsage(
     #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
     %% valid peer cert
     valid_peer,
-    AllowedKeyUsages
+    RequiredKeyUsages
 ) ->
     %% override OTP verify_peer default
     %% must have id-ce-extKeyUsage
     case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
         #'Extension'{extnID = ?'id-ce-extKeyUsage', extnValue = VL} ->
-            case do_verify_ext_key_usage(VL, AllowedKeyUsages) of
+            case do_verify_ext_key_usage(VL, RequiredKeyUsages) of
                 true ->
                     %% pass the check,
                     %% fallback to OTP verify_peer default
-                    {valid, AllowedKeyUsages};
+                    {valid, RequiredKeyUsages};
                 false ->
                     {fail, extKeyUsage_unmatched}
             end;
@@ -100,9 +100,7 @@ do_verify_ext_key_usage(CertExtL, [Usage | T] = _Required) ->
     end.
 
 %% @doc Helper tls cert extension
--spec ext_key_opts
-    (string()) -> [OidString :: string() | public_key:oid()];
-    (undefined) -> undefined.
+-spec ext_key_opts(string()) -> [OidString :: string() | public_key:oid()].
 ext_key_opts(Str) ->
     Usages = string:tokens(Str, ","),
     lists:map(
@@ -119,7 +117,7 @@ ext_key_opts(Str) ->
                 ?'id-kp-timeStamping';
             ("ocspSigning") ->
                 ?'id-kp-OCSPSigning';
-            ([$O, $I, $D, $: | OidStr]) ->
+            ("OID:" ++ OidStr) ->
                 OidList = string:tokens(OidStr, "."),
                 list_to_tuple(lists:map(fun list_to_integer/1, OidList))
         end,
diff --git a/apps/emqx/test/emqx_test_tls_certs_helper.erl b/apps/emqx/test/emqx_test_tls_certs_helper.erl
index 759b42821..78d51c5e0 100644
--- a/apps/emqx/test/emqx_test_tls_certs_helper.erl
+++ b/apps/emqx/test/emqx_test_tls_certs_helper.erl
@@ -46,7 +46,7 @@ emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
         zone => default,
         ssl_options => maps:from_list(SslOptions)
     },
-    ct:pal("start listsner with ~p ~p", [Name, Opts]),
+    ct:pal("start listener with ~p ~p", [Name, Opts]),
     emqx_listeners:start_listener(ssl, Name, Opts).
 
 %%-------------------------------------------------------------------------------