Update: remove path length parameter from make_ca function and set it to 1 in certificate generation

2026-03-05 06:20:14 +01:00
parent b47d307d88
commit fe208451b3
2 changed files with 4 additions and 4 deletions
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -95,7 +95,7 @@ echo "---------------------------------"
 echo

 # Create a new CA with pathlen 1
-if ! make_ca --path-len 1 "$CA_DIR" "Test Two Level CA"; then
+if ! make_ca "$CA_DIR" "Test Two Level CA"; then
    echo "ERROR: Failed to create CA." >&2
    exit 1
 fi
--- a/simple-ca.sh
+++ b/simple-ca.sh
@@ -42,7 +42,6 @@ function make_ca() {

    # CA defaults to the main CA if not specified, but can be overridden with --issuing-ca
    local CA_FILE_PREFIX="ca"
-    local PATHLEN=0

    while [[ $# -gt 0 ]]; do
        case "$1" in
@@ -64,7 +63,6 @@ function make_ca() {
                    return 1
                fi
                CA_FILE_PREFIX="$2"
-                PATHLEN=1
                shift 2
                ;;
            *)
@@ -96,6 +94,8 @@ function make_ca() {
            return 1
        fi
        echo "Generating CA certificate '$CA_NAME' and key..."
+        # Path length constraint of 1 is set for the root CA to allow creating one level of issuing CAs,
+        # but prevent creating a longer chain of CAs which is not supported by this script.
        if ! openssl req \
            -x509 \
            -newkey rsa:4096 \
@@ -105,7 +105,7 @@ function make_ca() {
            -noenc \
            -subj "/CN=${CA_NAME}" \
            -text \
-            -addext "basicConstraints=critical,CA:TRUE,pathlen:${PATHLEN}"; then
+            -addext "basicConstraints=critical,CA:TRUE,pathlen:1"; then
            echo "ERROR: Failed to generate CA certificate and key." >&2
            return 1
        fi