Update: remove path length parameter from make_ca function and set it to 1 in certificate generation

run-tests.sh

@@ -95,7 +95,7 @@ echo "---------------------------------"
 echo
 
 # Create a new CA with pathlen 1
-if ! make_ca --path-len 1 "$CA_DIR" "Test Two Level CA"; then
+if ! make_ca "$CA_DIR" "Test Two Level CA"; then
     echo "ERROR: Failed to create CA." >&2
     exit 1
 fi

simple-ca.sh

@@ -42,7 +42,6 @@ function make_ca() {
 
     # CA defaults to the main CA if not specified, but can be overridden with --issuing-ca
     local CA_FILE_PREFIX="ca"
-    local PATHLEN=0
 
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -64,7 +63,6 @@ function make_ca() {
                     return 1
                 fi
                 CA_FILE_PREFIX="$2"
-                PATHLEN=1
                 shift 2
                 ;;
             *)
@@ -96,6 +94,8 @@ function make_ca() {
             return 1
         fi
         echo "Generating CA certificate '$CA_NAME' and key..."
+        # Path length constraint of 1 is set for the root CA to allow creating one level of issuing CAs,
+        # but prevent creating a longer chain of CAs which is not supported by this script.
         if ! openssl req \
             -x509 \
             -newkey rsa:4096 \
@@ -105,7 +105,7 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -text \
-            -addext "basicConstraints=critical,CA:TRUE,pathlen:${PATHLEN}"; then
+            -addext "basicConstraints=critical,CA:TRUE,pathlen:1"; then
             echo "ERROR: Failed to generate CA certificate and key." >&2
             return 1
         fi