Hello,
I think --path-length should be set to 2 for the RootCA, otherwise the ICA1 could not generate any certificate.
Here is the related doc page: Build Certificate Authority (CA) in Vault with an offline Root | Vault - HashiCorp Learn
Agreed - depends on certstrap version having that flag, still seems to generate certs but verifying fails
1 Like
Interesting, I was going to write a post about this too when I saw this. Indeed, the path length should be explicit, otherwise certstrap will generate it with path length 1.