Got a couple of question about pathlengths. 1. Assume when I setup my PKI with a Root and 2 subordinates I did not use the pathlength option in any capolicy.inf file This means I can created virtually an unlimited number of subordinates down in the PKI, yes or no? 2. Assume when creating the Root CA I did set a pathlength that only allowed me to create one more level of Subordinates so I have the Root and 2 subordinates below that. I now want to create a 3rd player of subordinates, can I do this? Is there a way to alter this path length? Thanks.

1) yes. 2) no, you can't. Once you have defined PathLength constraint, this number will be decreased by one at each subsequent level. For example: RootCA PathLength = 1 SubCA PathLength = 0 In this case when you attempt to issue another SubCA certificate from SubCA server the request will be denied by a policy module due of path length constraints. There is no way to alter this even if you will use 3rd party tools like makecert or openssl, because the certificate will fail certificate chaining engine checking.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com