Self signed certificate path constraint exceeded

I have the following self signed certificate chain:

RootCA -> IntermediateCA (signed by root) -> Server Cert (leaf for TLS, signed by intermediate)

RootCA has MaxPathLen = 0

My certificates are generated using certstrap using CreateCertificateAuthority and CreateIntermediateCertificateAuthority so I assumed the default settings were correct. But when trying to get my self signed certificates working with Python or Node client side I hit a path length constraint exceeded error.

> NOTE: The setup was working fine when using a Go TLS client by just supplying the intermediate CA certificate. Python and Node seem to require the full cert chain hence why the problem arose.

From rfc5280 I see the statement:
> In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path.

I'm confused by non-self-issued intermediate certificates. Is this implying that my chain is valid because the RootCA signed the intermediate (hence it is not non-self-issued). Or it is not valid, because the intermediate counts as as a non-self-issued certificate. What exactly is self referring to here? It could be self signing or the rootca being self.

Should my rootCA in this case actually have a MaxPathLen of 1?

If the root has a MaxPathLen=0, then it can only issue end-entity certificates and no intermediate CA certificates can follow. The Root CA is self-signed.

In your case, the Root has issued an intermediate CA and that is not allowed. And will get the error you described.

> non-self-issued intermediate certificates

This refers to intermediate CAs that can follow the Root that are issued by that Root.

> Or it is not valid, because the intermediate counts as as a
> non-self-issued certificate.

That is correct the intermediate exceeds the MaxPathlen = 0.

> Self

Refers to the Root.

> Root CA and maxPathLen

The root CA with a maxPathLen >= 1 will work for the scenario presented. It can have an intermediate CA and that intermediate can sign end-entity certs.

Root -> ICA -> EE

However with that maxPathLen=1, the following will not work:

Root -> ICA-1 -> ICA-2 -> EE

The self-issued refers to a certificate in the chain that is issued to itself - that is Subject and Issuer are the same. This is usually used for key changeover purposes and can be ignored otherwise.

Your problem arises because you've placed the basicConstraint pathLenConstraint of 0 on the Root. With a value of 0, it should be on the last CA in the chain - the one you call Intermediate CA.

From RFC 5280:

> A pathLenConstraint of zero indicates that no [non-
self-issued] intermediate CA certificates may follow in a valid
certification path

It's wise not to a pathLenConstraint on your Root as you may not know at the time of signing how your subordinate CAs will pad out over time.