PathLenConstraint is a Certificate Basic Constraint defined in RFC 5280 a field is meaningful only if the CA Constraint boolean is asserted and the KeyUsage extension, if present, asserts the keyCertSign bit.

In this case, it gives the maximum number of non-self-issued Intermediate Certificate that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.)

PathLenConstraint of zero indicates that no non-Self-signed Intermediate Certificates Root Certificate may follow in a valid certification path. Where it appears, the PathLenConstraint field MUST be greater than or equal to zero.

When PathLenConstraint does NOT appear, no limit is imposed.

More Information#

There might be more information for this subject on one of the following: