In the tutorial Build Certificate Authority (CA) in Vault with an offline Root | Vault - HashiCorp Learn when creating ICA2 there is the following comment on step 4, Run ICA2 x509 certificate constraint check.:
##########
Notice that the X509v3 Basic Constraints value pathlen:1 , ensures that ICA2 can only sign CSR requests, but not create more intermediate certificate authorities.
##########
It was my understanding that end entity CA’s that cannot create more intermediate auths would have a pathlen:0
Is this a documentation error?
Thanks
Paul C