Constraints Reference474 Netscape Certificate Management System Administrator’s Guide • February 2003Extended Key Usage Extension ConstraintThe extended key usage extension constraint checks if the extended key usageextension in the certificate request satisfies the criteria set in this constraint.PathLen Specifies the maximum allowable path length, the maximumnumber of CA certificates that may be chained below(subordinate to) the subordinate CA certificate being issued.Note that the path length you specify affects the number of CAcertificates to be used during certificate validation. The chainstarts with the end-entity certificate being validated andmoving up the chain.This parameter has no effect if the extension is set in end-entitycertificates.Permissible values: 0 or n. Make sure that the value you chooseis less than the path length specified in the Basic Constraintsextension of the CA signing certificate (owned by the CA thatwill issue these certificates).• 0 specifies that no subordinate CA certificates are allowedbelow the subordinate CA certificate being issued—that is,only an end-entity certificate may follow in the path.• n must be an integer greater than zero. It specifies at themost n subordinate CA certificates are allowed below thesubordinate CA certificate being used.If you leave the field blank, the path length defaults to avalue that is determined by the path length set on theBasic Constraints extension in the issuer’s certificate. Ifthe issuer’s path length is unlimited, the path length inthe subordinate CA certificate will also be unlimited. Ifthe issuer’s path length is an integer greater than zero,the path length in the subordinate CA certificate will beset to a value that’s one less than the issuer’s path length;for example, if the issuer’s path length is 4, the pathlength in the subordinate CA certificate will be set to 3.Table 10-18 Basic Constraints Extension Constraint Configuration Parameters (Continued)Parameter Description
