It should not be surprising that both keypairs worked. Unless you're doing mutual authentication, the SSL server will never see the client certificate, and so it will not be able to see the keyUsage attribute, or the extendedKeyUsage attribute. Those two attributes specify how a keypair is "supposed" to be used. If you're very very picky, you want keyUsage to have digitialSignature and keyEncipherment turned on, and extendedKeyUsage to include serverAuth or clientAuth. If you're not very picky, use your signing keypair, not your encryption keypair.
For a bit more info on the attributes, see the x509v3_config manpage (http://www.openssl.org/docs/apps/x509v3_config.html#Extended_Key_Usage_) and/or google it. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
