Using Basic Constraints

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Basic constraints allow an application to determine whether a certificate is a CA certificate, which can then be used by the certificate chain engine to build certification paths, or an end-certificate, which cannot.

You can also use basic constraints to limit the maximum number of CA certificates that can be included in a CA path. For example, setting a path length of zero in the basic constraints section of the CAPolicy.inf file allows only certificates issued by that specific CA to be included in the CA path. A path length of two allows only a total of three CA certificates in a certification path. In the latter case, any certification paths that include more than three CAs are discarded.

Use basic constraints if you do not want to trust additional CAs that are created lower in the CA hierarchy of your organization. You can also use basic constraints in cross-certified relationships if you trust your business partner and the certificates from all their existing CAs, but you do not want to trust certificates from any additional CAs that they authorize.