I am trying to generate a ECC certificate for EAP-TLS. After submitting a certificate sign request (CSR) with an ECC 384 public key, the certificate generated does not have the correct keyUsage bits set. The CSR is reqesting the digitalSignature, keyAgreement and nonRepudiation as the key usage(s). The certificate template is setup for encryption and signature using ECDH_P384 as the algorithm and SHA1 for hash algorithm under cryptography. Also the template has the correct key usages set on the "Extensions" tab.

The Extensions tab of the cert template is the important part here. Did you recently make changes that might not have replicated? Usually 15 minutes is required for the changes to replicate via AD, although that timeframe may vary based on your actual configuration for AD replication. Otherwise I would suggest double checking that tab on your template for the Application Policy and Key Usage sections to make sure that they agree with what you think should be there. What is specified in the CSR doesn't matter as much as what is in the template. If still no go, I would try duplicating a different template and starting again from scratch to test.

Did you get eap-tls to work with ecc certificates?