Enabling certificates that do not have the extended key usage (EKU) attribute

Normally, smart card use requires certificates that contain the extended key usage attribute. However, Windows provides a group policy that allows the use of certificates that do not have this attribute.

Note:   This group policy is implemented as an administrative template (.adm file), not as an xml file, as are the Centrify group policies.

To enable certificates that do not have the EKU attribute for use with smart cards:

  1. Open the group policy editor and edit the GPO that contains the Linux computers enabled for smart-card login.
  2. Open Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card and double-click Allow certificates with no extended key usage certificate attribute.
  3. Click Enabled and click OK.

    When you enable this policy, it sets the smartcard.allow.noeku parameter to true in the Centrify configuration file. Certificates with the following attributes can also be used to log on with a smart card:

    • Certificates with no EKU

    • Certificates with an All Purpose EKU

    • Certificates with a Client Authentication EKU

  4. In a Terminal window, run the sctool command as root with the -E (--no-eku) parameter to re-enable smart card support. You must use either the -a (--altpkinit) or -k (--pkinit) parameter with the -E option; for example:

    sctool -E -k jsmart@acme.com