Copy the eku.txt file from the XCA installation location to the user’s XCA directory:
Windows: C:\Program Files\xca
macOS: /Applications/xca.app/Contents/Resources This can be accessed through the command line or right clicking on the xca application and selecting “Show Package Contents”
Linux: /usr/share/xca or /usr/local/share/xca
Note: The whole file eku.txt file must be copied, because xca only parses the first eku.txt it encounters.
Add a line to the user’s eku.txt referencing your new EKU:
Close and re-open XCA and your new EKU will be available:
After adding the Remote Desktop Authentication EKU, I found out it is no longer supported/recognized. The Microsoft Remote Desktop 10 app on macOS and Windows 10 both report the EKU as invalid/unknown.
Here is a BASH and OpenSSL implementation of a Time-Based One-Time Password generator for "emegency" if my phone is stolen or broken. All I need is a backup copy of the authenticator secrets. When setting up two-factor authentication, these codes are often displayed below the QR code.