There’s an extension keyUsage which specifies what can be done with the certificate. Note that some programs are not using this field.

From X509 documentation:

X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
    the supplied certificate cannot be used for the specified purpose.

Man page x509v3_config(5) lists possible values for the parameter and also for another called extendedKeyUsage:

Key Usage.
    Key usage is a multi valued extension consisting of a list of names of
    the permitted key usages.

    The supporte names are: digitalSignature, nonRepudiation,
    keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
    encipherOnly and decipherOnly.

    Examples:
     keyUsage=digitalSignature, nonRepudiation
     keyUsage=critical, keyCertSign 

Extended Key Usage.
    This extensions consists of a list of usages indicating purposes for
    which the certificate public key can be used for,

    These can either be object short names of the dotted numerical form of
    OIDs.  While any OID can be used only certain values make sense. In
    particular the following PKIX, NS and MS values are meaningful:

     Value                  Meaning
     -----                  -------
     serverAuth             SSL/TLS Web Server Authentication.
     clientAuth             SSL/TLS Web Client Authentication.
     codeSigning            Code signing.
     emailProtection        E-mail Protection (S/MIME).
     timeStamping           Trusted Timestamping
     msCodeInd              Microsoft Individual Code Signing (authenticode)
     msCodeCom              Microsoft Commercial Code Signing (authenticode)
     msCTLSign              Microsoft Trust List Signing
     msSGC                  Microsoft Server Gated Crypto
     msEFS                  Microsoft Encrypted File System
     nsSGC                  Netscape Server Gated Crypto

    Examples:
     extendedKeyUsage=critical,codeSigning,1.2.3.4
     extendedKeyUsage=nsSGC,msSGC