错误-注册新身份时出现“中间体过多，无法进行路径长度限制”

Question

在hyperledger fabric-ca中，我创建CA链，例如：

  

根CA-中级CA 1-中级CA 2-中级CA 3

使用这些CA，在fabric-ca-config.yaml文件的“签名”部分中设置“ maxpathlen：5”，在“ csr”部分中设置“ pathlength：5”
这意味着我的链对至少4个中间CA有效，并且我可以在中间CA 3中注册新身份。

事实上，我可以注册Intermediate CA 3的管理员，但是，当我注册新身份时，会出现此错误：

  

/寄存器401 26“不受信任的证书：无法验证证书：x509：用于路径长度限制的中间物太多”

我做错了什么，以及如何配置该值
我的配置文件

# Version of config file
version: 1.1.0

# Server's listening port (default: 7054)
port: 7054

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: Admin
       pass: adminpw
       type: client
       affiliation: 
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      ca:
         usage:
           - cert sign
           - crl sign
         expiry: 43800h
         caconstraint:
           isca: true
           maxpathlen: 5
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

csr:
   cn: fabric-ca-server
   names:
      - C: US
        ST: "California"
        L:
        O: Hyperledger
        OU: Fabric
   hosts:
     - ca
     - localhost
   ca:
      expiry: 131400h
      pathlength: 5

Answer 1

我发现根本原因很简单，因为初始化网络时，我不会自己创建证书/密钥并对其进行配置，因此Fabric-CA会使用自身的密钥/证书（配置默认设置为maxpathlen = 1）。
如果我自己创建证书/密钥，并在cert config pathlength> 3中创建，那么我的网络就可以了。