Error with max_path_length

I am following the “Build Certificate Authority (CA) in Vault with an offline Root” article, but when i reach the Step 4: “Generate ICA2 in vault” i create a Terraform file named, “test_org_ica2.tf” and when i do terraform apply, receive an error saying “signing certificate has a max path length of zero, and cannot issue further CA certificates”.

The article: Build Certificate Authority (CA) in Vault with an offline Root | Vault | HashiCorp Developer

I followed this article step by step with a clean vault installation and cannot find any information about that error.

Is there any command to change de value of the max path length?

Bellow i left a screenshot of the error.

error1104×318 110 KB

Thank you!

A quick look suggests that a change in the upstream certstrap tool has rendered the tutorial as written broken - Add support for setting `pathlen` on CA certificates and intermediate CA by socheatsok78 · Pull Request #135 · square/certstrap · GitHub.

You should disregard this tutorial and follow the one that does not use certstrap, that is linked in the first paragraph of the page:

This learn tutorial builds on the Build Your Own Certificate Authority (CA) tutorial and demonstrates how to create the CA chain hierarchy with an offline root and online intermediate CAs in Vault.

I found the issue.
Just add the flag " --path-length 2 " creating certificate with certstrap and will work