Copy the eku.txt file from the XCA installation location to the user’s XCA directory:
Windows: C:\Program Files\xca
macOS: /Applications/xca.app/Contents/Resources This can be accessed through the command line or right clicking on the xca application and selecting “Show Package Contents”
Linux: /usr/share/xca or /usr/local/share/xca
Note: The whole file eku.txt file must be copied, because xca only parses the first eku.txt it encounters.
Add a line to the user’s eku.txt referencing your new EKU:
Close and re-open XCA and your new EKU will be available:
After adding the Remote Desktop Authentication EKU, I found out it is no longer supported/recognized. The Microsoft Remote Desktop 10 app on macOS and Windows 10 both report the EKU as invalid/unknown.
To block Windows 10 Updates, block lookup of the following domains:
This list differs from the lists I’ve been able to find published by Microsoft; notably stats.microsoft.com, mp.microsoft.com, and data.microsoft.com. I developed the list above by watching DNS queries while checking for updates and blocking domain names until the check for updates failed.
Since I’m using Dnsmasq, I’ve added a config file in /etc/dnsmasq.d/ so I can easily disable the blocking when I am ready to install updates: