Menu
Is having a Path Length of 0 and None the same thing for Basic Constraint's of a CA type? To clarify, does a path length of 0 mean that the CA can issue no certificates while a path length of none mean that it can issue an infinite amount of certificates?
670
Path length gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path.
Basic Constraints limit the path length for a certificate chain. This type of constraint limits the number of CAs that exist below the CA (depth) where the constraint is defined.
A pathLenConstraint of zero indicates that no non-self-issued intermediate CA certificates may follow in a valid certification path.
A PKCS12 file has an extension of . pfx. It contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate computer.
Taken from RFC 5280, section 4.2.1.9:
A pathLenConstraint of zero indicates that no non-self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed.
I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations).
It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the pathLen by 1).
An absent pathLenConstraint on the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue a intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.
If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)
X - EE X - I1 - EE X - I1 - I2 - EE but this and those scenarios with even more intermediate CAs are not
X - I1 - I2 - I3 - EE ... If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
