Enabling a Certificate Without Extended Key Usage

Normally, smart card use requires certificates that contain the extended key usage (EKU) attribute. However, Windows provides a group policy that allows the use of certificates that do not have the EKU attribute.

This group policy is implemented as an administrative template (.adm file), not as an xml file, as are the Delinea group policies.

To use certificates without the EKU attribute with smart cards:

1. Open the group policy editor and edit the GPO that contains the Linux computers enabled for smart-card login.

2. Open Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card and double-click Allow certificates with no extended key usage certificate attribute.

3. Click Enabled and click OK.

   When you enable this policy, it sets the smartcard.allow.noeku parameter to true in the Delinea configuration file. Certificates with the following attributes can also be used to log on with a smart card:

   • Certificates with no EKU
   • Certificates with an All Purpose EKU
   • Certificates with a Client Authentication EKU

4. In a Terminal window, run the sctool command as root with the -E (--no-eku) parameter to re-enable smart card support. You must use either the -a (--altpkinit) or -k (--pkinit) parameter with the -E option; for example:

   sctool -E -k jsmart@acme.com