Help banner

Certificate Basic Constraints

Path Length

Unspecified
Select this option if you don't want to specify how many levels of subordinate CAs can be created under this CA.

Note: If a certificate is of type End Entity, the path length should only be set to Unspecified.

Specific
Select this option if you want to specify how many levels of subordinate CAs can be created under this CA. Click the Up and Down-arrows to specify the path length.

Note: If the certificate being created is a subordinate CA, the path length must be consistent with the superior CA. For example, if the superior CA has a path length of 3, the subordinate's path length must be 2 or less. If the superior CA has an unspecified path length, the subordinate may also have an unspecified path length or any specific path length desired.

Set Basic Constraints Extension to Critical

In general, the Basic Constraints Extension must be set to critical for CA certificates. Any extension that is critical must be understood by the receiving software before the certificate can be used for any purpose. Therefore, marking an extension as critical does pose some risk, because not all applications can use the certificate. However, for well known extensions such as Basic Constraints, the risk is minimal.