Enabling certificates that do not have the extended key usage (EKU) attribute
Normally, smart card use requires certificates that contain the extended key usage attribute. However, Windows provides a group policy that allows the use of certificates that do not have this attribute.
Note: This group policy is implemented as an administrative template (
.adm file), not as an
xml file, as are the Centrify group policies.
To enable certificates that do not have the EKU attribute for use with smart cards:
- Open the group policy editor and edit the GPO that contains the Linux computers enabled for smart-card login.
- Open Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card and double-click Allow certificates with no extended key usage certificate attribute.
- Click Enabled and click OK.
When you enable this policy, it sets the
smartcard.allow.noekuparameter to true in the Centrify configuration file. Certificates with the following attributes can also be used to log on with a smart card:
Certificates with no EKU
Certificates with an All Purpose EKU
Certificates with a Client Authentication EKU
In a Terminal window, run the
sctoolcommand as root with the
--no-eku) parameter to re-enable smart card support. You must use either the
--pkinit) parameter with the
-Eoption; for example:
sctool -E -k firstname.lastname@example.org