The X.509 basic constraints extension is used to specify whether the certificate is for a certificate authority (CA). The X.509 basic constraints extension has essentially two parts:
The pathLenConstraint can range from zero to infinite. If the value is zero, it means that the CA cannot create other CAs but it can still create end entity objects (that is, user and server certificates). If the value is one, it means that at most a CA one level below this CA can be created, etc. If the pathLenConstraint is not specified it means the value is infinite and there is no restrictions on the number of levels of CAs that can be created. CAs must have the basic constraints extension encoded. Certificates for non-CAs should not have the basic constraints extension encoded. The basic constraints extension uses the general purpose extension structure Section 5.2, NPKI_Extension described in the Section 5.2.1, General Purpose Extension Structure.
value might or might not be present. If value is present, it should be one nuint32 encoded as pathLenConstraint in the extension. If no path length constraint is desired (that is, a value of infinite), length should be set to 0 and value should not be present. There is one extension specific flag defined for the basic constraints extension: