Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

There are two ways to implement a path length restriction in a certificate authority certificate:

• By entry in the "Basic Constraints" extension of a certification authority certificate. This can either be requested via the certificate request of the Certification Authority or specified by the parent Certification Authority. A root Certification Authority can set this entry for its own Certification Authority certificate during its issuance. In the case of a root certification authority (root CA), however, this robs flexibility because a change requires a reissue (renewal) of the certification authority certificate.
• By entering a registration key in the certification authority, which will make the certification authority think it has a path length restriction, even though none is defined in the certification authority certificate. This is the preferred way for a certification authority.

Configuration via the certificate request of a certification authority

If a Certification Authority certificate is applied for the first time or is renewed later (in the case of a root Certification Authority also: issued by itself), it can be renewed by previously entering a section within the capolicy.inf (also works for already existing certification authorities) the resulting certificate request can be processed accordingly, so that a restriction of the path length is requested.

[BasicConstraintsExtension]
PathLength={value}
Critical=TRUE

NotePolicies and constraints should always be specified by the higher-level certification authority. This means that the higher-level Certification Authority is not bound by our Antrasg and can also process it differently accordingly. It is therefore essential to check the results.

To set the limitation of the path length, a natural positive number corresponding to the number of desired hierarchy levels is entered as "Value". Please note that the last hierarchy level will receive the value "0". So if one wants to define a two-level hierarchy, the value "1" must be entered on the root certification authority.

The higher-level Certification Authority ultimately decides on the implementation of the settings requested in a certificate request (CSR). Thus, the result in the issued certificate may well deviate from the certificate and must be checked accordingly.

The Certification Authority certificate can then be applied for or renewed.

Configuration via registry of the certification authority

The configuration for restricting the path length of certificates issued by a certificate authority is set through the registry on the certificate authority. It is located in the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ 
{Common-name-of-the-certification authority}\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy

The configuration can be done via the registry editor or via the following command line command:

certutil -setreg Policy\CAPathLength {value}

• To set the limitation of the path length, a natural positive number corresponding to the number of desired hierarchy levels is entered. Please note that the last hierarchy level will receive the value "0". So if one wants to define a two-level hierarchy, the value "1" must be entered on the root certification authority.
• To deactivate the limitation of the path length, the value "-1" (hexadecimal: ffffffff) is entered.

After setting the configuration, the certification authority service must be restarted so that the configuration is read in and used.

Closing words

Certificates issued by the certification authority (and, depending on the configuration, the certification authority certificate itself) should now have an appropriate path length constraint in the Basic Constraints extension.

Related links:

• Installation of a standalone root certification authority (Standalone Root CA)
• Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".