Help banner

Certificate Basic Constraints

Certificate Type

Unspecified
Select this option if you do not want to add a basic constraint extension to the certificate.

Certificate Authority
Select this option to add a Certificate Authority basic constraint extension to the certificate. If the certificate is for a Certificate Authority, you must select this option.

End Entity
Select this option to add a basic constraint extension to the certificate that specifies this is an End Entity (that is not a Certificate Authority) certificate. Note: If a certificate is of type End Entity, the path length should be set to Unspecified.

Path Length

Unspecified
Select this option if you don't want to specify how many levels of subordinate CAs can be created under this CA.

Note: If a certificate is of type End Entity, the path length should only be set to Unspecified.

Specific
Select this option if you want to specify how many levels of subordinate CAs can be created under this CA. Click the Up and Down-arrows to specify the path length.

Note: If the certificate being created is a subordinate CA, the path length must be consistent with the superior CA. For example, if the superior CA has a path length of 3, the subordinate's path length must be 2 or less. If the superior CA has an unspecified path length, the subordinate may also have an unspecified path length or any specific path length desired.

Set Basic Constraints Extension to Critical

In general, the Basic Constraints Extension must be set to critical for CA certificates. Any extension that is critical must be understood by the receiving software before the certificate can be used for any purpose. Therefore, marking an extension as critical does pose some risk, because not all applications can use the certificate. However, for well known extensions such as Basic Constraints, the risk is minimal.