Novell Documentation: Novell Certificate Server Libraries for C

4.1 Basic Constraints Extension Values

The X.509 Basic Constraints extension is used to specify that a certificate belongs to a CA. The X.509 Basic Constraints extension has essentially two parts:

CA: Specifies whether the certificate is for a CA.
pathLenConstraint: If the certificate is for a CA, pathLenConstraint specifies how many subordinate levels of a certificate chain that the CA can certify. The pathLenConstraint can range from zero, meaning that the CA cannot certify other CAs but can certify leaf objects (that is, user and server certificates) to infinite (that is, when pathLenConstraint is not specified).

Certificates for CAs must have the Basic Constraints extension encoded. Other certificates should not.

The Basic Constraints extension uses the general-purpose extension structure NPKI_Extension described in Section 4.10, X.509 Extensions.

There is one value specific flag defined for the Basic Constraints extension:

Value	Name	Description
0xffffffff	X509_CA_PATH_LENGTH_UNLIMITED	Compare this value with the value returned in pathLenConstraint from NPKIT_x509BasicConstraintsInfo to determine if the CA path length is unlimited