The RFC 5280 is for path building and validation when certificates are being used. It is not meant for validation during certificate creation. As Rich indicated OpenSSL will sign anything you present.
With kind regards, Patrick Tronnier Principal Security Architect & Sr. Director of Quality Assurance Phone: 763.201.2000 Fax: 763.201.5333 Direct Line: 763.201.2052 Open Access Technology International, Inc. 3660 Technology Drive NE, Minneapolis, MN 55418 CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Peter1234 Sent: Thursday, August 22, 2013 9:00 AM To: openssl-users@openssl.org Subject: RE: CA hierarchy / pathlen:0 You misunderstand how it’s supposed to work. OpenSSL does not prevent you from signing anything. It can’t; for example, you could use other software and generate the signature. Instead, when the recipient gets a certificate, and verifies the chain, it should reject the chain because the signing CA was not legitimate (pathlen exceeded). Hi Rich, following lines are copied from RFC 5280: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) A pathLenConstraint of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed. I assumed openssl would conform to RFC standards and therefore I supposed that it takes care of pathlengths specified in CA certificates. -- View this message in context: http://openssl.6102.n7.nabble.com/CA-hierarchy-pathlen-0-tp46248p46288.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org