diff --git a/run-tests.sh b/run-tests.sh
index 27eb7db..e7a6f0f 100755
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -95,7 +95,7 @@ echo "---------------------------------"
 echo
 
 # Create a new CA with pathlen 1
-if ! make_ca --path-len 1 "$CA_DIR" "Test Two Level CA"; then
+if ! make_ca "$CA_DIR" "Test Two Level CA"; then
     echo "ERROR: Failed to create CA." >&2
     exit 1
 fi
diff --git a/simple-ca.sh b/simple-ca.sh
index 2519de2..62f3b6a 100755
--- a/simple-ca.sh
+++ b/simple-ca.sh
@@ -42,7 +42,6 @@ function make_ca() {
 
     # CA defaults to the main CA if not specified, but can be overridden with --issuing-ca
     local CA_FILE_PREFIX="ca"
-    local PATHLEN=0
 
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -64,7 +63,6 @@ function make_ca() {
                     return 1
                 fi
                 CA_FILE_PREFIX="$2"
-                PATHLEN=1
                 shift 2
                 ;;
             *)
@@ -96,6 +94,8 @@ function make_ca() {
             return 1
         fi
         echo "Generating CA certificate '$CA_NAME' and key..."
+        # Path length constraint of 1 is set for the root CA to allow creating one level of issuing CAs,
+        # but prevent creating a longer chain of CAs which is not supported by this script.
         if ! openssl req \
             -x509 \
             -newkey rsa:4096 \
@@ -105,7 +105,7 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -text \
-            -addext "basicConstraints=critical,CA:TRUE,pathlen:${PATHLEN}"; then
+            -addext "basicConstraints=critical,CA:TRUE,pathlen:1"; then
             echo "ERROR: Failed to generate CA certificate and key." >&2
             return 1
         fi