Since I just found this topic from the error message and managed to figure out the problem, I figured I would post the solution...   The issue with the AD subordinate cert is that it was missing pathlen:0, which is what prohibits this CA from issuing more subordinate certs. This is a cert policy construct that we can edit with a command on our Microsoft CA: from a cmd prompt with administrative rights on your CA server run the command   > certutil -setreg Policy\CAPathLength 1   After you issue that command go and resubmit your CA request and get your cert (rename the file extension to crt) the dashboard now will accept it.   more info on Constraints   https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/constraints-what-they-are-and-how-they8217re-used/1129048 ... View more