Basic constraints

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Basic constraints

Certification authorities (CAs) must have a certificate before they can issue certificates. They use the private key associated with this certificate to digitally sign issued certificates. When a CA obtains a certificate from another CA, the parent CA may want to control whether that certificate can be used to issue certificates to other certificate servers. This is a basic constraint.

Basic constraints are used to ensure a certificate is only used in certain applications. An example is the path length that can be specified as a basic constraint. A path length is the maximum number of CA certificates above this one in a certification path. This path length constraint is used to ensure that CA certificates can only issue end entity certificates, not CA certificates. This is used to ensure that some certificates are used by a CA and some are used by other subjects.