smartcard.allow.noeku

This configuration parameter allows the use of certificates that do not have the Extended Key Usage (EKU) attribute. Normally, smart card use requires certificates with the EKU attribute. The value of this parameter can be true or false.

If you set this parameter to true, certificates without an EKU attribute can be used for SmartCard logon, and certificates with the following attributes can also be used to log on with a smart card:

  • Certificates with no EKU
  • Certificates with an All Purpose EKU
  • Certificates with a Client Authentication EKU

If you set this parameter to false, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. The default value of this parameter is false.

After changing the value of this parameter, you must re-enable smart card support by running the following sctool command as root:

[root]$ sctool -E

When you run sctool with the -E option, you must also specify the -a or -k option. You can also control this feature using group policy.