3 files changed, 14 insertions, 7 deletions

diff --git a/myrpki/myirbe.py b/myrpki/myirbe.py
index c86eb736..9debb4b0 100644
--- a/myrpki/myirbe.py
+++ b/myrpki/myirbe.py
@@ -149,7 +149,7 @@ if hosted_cacert:
 
 
 if hosted_cacert:
-  bpki_rpkid.fxcert(my_handle + ".cacert.cer", hosted_cacert, restrict_pathlen = False)
+  bpki_rpkid.fxcert(my_handle + ".cacert.cer", hosted_cacert, path_restriction = 1)
 
 if hosted_cacert:
   bpki_pubd.fxcert(my_handle + ".cacert.cer", hosted_cacert)
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf
index 132ebfd3..fd9e54d3 100644
--- a/myrpki/myrpki.conf
+++ b/myrpki/myrpki.conf
@@ -40,11 +40,16 @@ CN                      = Dummy name for certificate request
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always
 
-[ca_x509_ext_xcert]
+[ca_x509_ext_xcert0]
 basicConstraints	= critical,CA:true,pathlen:0
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always
 
+[ca_x509_ext_xcert1]
+basicConstraints	= critical,CA:true,pathlen:1
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always
+
 [ca_x509_ext_ca]
 basicConstraints	= critical,CA:true
 subjectKeyIdentifier	= hash
diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py
index 7658ffa8..7e46c7a6 100644
--- a/myrpki/myrpki.py
+++ b/myrpki/myrpki.py
@@ -199,6 +199,9 @@ def PEMElement(e, tag, filename):
 
 class CA(object):
 
+  path_restriction = { 0 : "ca_x509_ext_xcert0",
+                       1 : "ca_x509_ext_xcert1" }
+
   def __init__(self, cfg, dir):
     self.cfg    = cfg
     self.dir    = dir
@@ -290,14 +293,14 @@ class CA(object):
     PEMElement(e, "bpki_bsc_certificate", cer_file)
     PEMElement(e, "bpki_bsc_pkcs10",      req_file)
 
-  def fxcert(self, filename, cert, restrict_pathlen = True):
+  def fxcert(self, filename, cert, path_restriction = 0):
     fn = os.path.join(self.dir, filename)
     f = open(fn, "w")
     f.write(cert)
     f.close()
-    return self.xcert(fn, restrict_pathlen)
+    return self.xcert(fn, path_restriction)
 
-  def xcert(self, cert, restrict_pathlen = True):
+  def xcert(self, cert, path_restriction = 0):
 
     if not cert:
       return None
@@ -321,8 +324,7 @@ class CA(object):
     # OpenSSL command line tool.
 
     if not os.path.exists(xcert):
-      self.run_ca("-ss_cert", cert, "-out", xcert, "-extensions",
-                  "ca_x509_ext_xcert" if restrict_pathlen else "ca_x509_ext_ca")
+      self.run_ca("-ss_cert", cert, "-out", xcert, "-extensions", self.path_restriction[path_restriction])
 
     return xcert