Allow certificates with no extended key usage certificate attribute

Path

Computer Configuration > Policies > Administrative Templates: Policy Definitions> Windows Components> Smart Card.

Description

The group policy, “Allow certificates with no extended key usage certificate attribute” is defined in a Windows administrative template file (.adm), not in centrify_mac_settings.xml, and is in Administrative Templates, not in Mac Settings.

To enable or disable this policy, click Computer Configuration > Policies > Administrative Templates: Policy Definitions > Windows Components > Smart Card.

Enabling this policy setting allows the use of certificates for smart card login that do not have the Extended Key Usage (EKU) attribute set. Normally, certificates that are used for smart card login require this attribute with a smart card logon object identifier.

When you enable this policy, it sets the smartcard.allow.noeku parameter to true in the Centrify configuration file. Certificates with the following attributes can also be used to log on with a smart card:

  • Certificates with no EKU
  • Certificates with an All Purpose EKU
  • Certificates with a Client Authentication EKU

If you disable or do not configure this policy setting (and do not set the smartcard.allow.noeku parameter to true in the Centrify configuration file) only certificates that contain the smart card logon object identifier can be used with smart card log in.

After changing the value of this parameter, you must re-enable smart card support by running the following sctool command as root:

[root]$ sctool -E 

Note:   You must also specify the --altpkinit or --pkinit parameter when you run sctool with the -E option.