- Newest
- Most votes
- Most comments
Hi Dani,
I understand you would like to know more about the mechanics of path lengths within PCA. Here are some insights to your questions:
Could I have a CA hierarchy with length 10 as long as only 5 levels are managed within PCA? Response: The structure of a CA hierarchy is defined and enforced by the basics constraints extension that each certificate contains. The extension defines two constraints: (A) cA – Whether the certificate defines a CA. If this value is false (the default), then the certificate is an end-entity certificate. (B) pathLenConstraint – The maximum number of lower-level subordinate CAs that can exist in a valid chain of trust. The end-entity certificate is not counted because it is not a CA certificate. A root CA certificate needs maximum flexibility and does not include a path length constraint. This allows the root to define a certification path of any length.
However, With AWS Private CA, you can only create a hierarchy of certificate authorities with up to five levels. The root CA, at the top of a hierarchy tree, can have any number of branches. The root CA can have as many as four levels of subordinate CAs on each branch. You can also create multiple hierarchies, each with its own root.
Does PCA refuse to create X509 certificates with path length field values above 5? Note: PCA supports complex hierarchies with up to five levels. Each CA in the tree is backed by an X.509 v3 certificate with signing authority. This means that as CAs, they can sign other certificates subordinate to them. When a CA signs a lower-level CA's certificate, it confers limited, revocable authority on the signed certificate.
How does AWS Private CA limit the certification path length? Does it make the pathLength field in the BasicConstraints extension mandatory? Response: It uses what is called PathLenConstraint. Subordinate CAs have pathLenConstraint values equal to or greater than zero, depending on location in the hierarchy placement and desired features. For example, in a hierarchy with three CAs, no path constraint is specified for the root CA. The first subordinate CA has a path length of 1 and can therefore sign child CAs. Each of these child CAs must necessarily have a pathLenConstraint value of zero. This means that they can sign end-entity certificates but cannot issue additional CA certificates. Limiting the power to create new CAs is an important security control.
I hope this helps. Let me know if I answered your question or if you have any follow-up.
Kind regards, Ahmed
References:
[1] https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html
[2] https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html#length-constraints
[3] https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-pathlength
Here is the guide on Path length constraint- https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-pathlength
Relevant content
- Accepted Answerasked a year ago
- Accepted Answer
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a day ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
Hi! I understand what a path length constraint is. My question is more about the mechanics of path lengths within PCA. For example, could I have a CA hierarchy with length 10 as long as only 5 levels are managed within PCA? Does PCA refuse to create X509 certificates with path length field values above 5? The documentation is unclear to how this mechanism actually works. I suspect that it's a simple internal check that counts the number of CAs in the chain and refuses to create a sixth. This wouldn't prevent continuing the chain outside of PCA.