ConsoleOne reports a "Path Length Violation" while running the validation process

  • 3975484
  • 02-Jul-2007
  • 27-Apr-2012


Novell eDirectory 8.8 for All Platforms
Novell eDirectory for All Platforms
Novell Certificate Server (PKIS) 3.20
Novell ConsoleOne 1.36f on Windows XP SP2


ConsoleOne reports a "Path Length Violation" while running the validation process

The trust chain for the certificate being validated has three root certificate in the trust chain
SelfSigned CA with a pathLenConstraint = "5"
Sub CA1 with a pathLenConstraint = "2"
Sub CA2 with no pathLenConstraint set


This issue has been addressed to engineering


Reported to Engineering

Additional Information

The Novell Certificate server validation process used the following rules for the pathLenContraint attribute given the above mentioned trust chain:
  1. If no pathLenContraint attribute has not been set on a given CA certificate this means an unlimited path length.
  2. As soon as SubCA 2 can not have a greater pathLenContraint value than what has been set on SubCA 1
Therefore ConsoleOne returned a "Path Length Violation" error.

After a discussion on the PKIX list we changed the validation process.
In RFC 3280 there is no MUST-statement that says that a CA creating a certificate for a sub-CA must ensure that the path length is set.

The validation steps specifically say:
(l) If the certificate was not self-issued, verify that max_path_length
is greater than zero and decrement max_path_length by 1.
(m) If pathLengthConstraint is present in the certificate and is less than max_path_length,
set max_path_length to the value of pathLengthConstraint.

Where max_path_length was set originally to the path_length specified in the root CA certificate. In this case, the max_path_length would start at 5, then decreased to 2. When validating the certificate for subCA 2, since max_path_length is 2, the certificate should pass the check. Further, when validating a certificate signed by subCA 2 (that is not a CA), the leaf certificate would be considered valid as well.