diff --git a/x509util/extensions.go b/x509util/extensions.go
index fb305c36..2b1c8527 100644
--- a/x509util/extensions.go
+++ b/x509util/extensions.go
@@ -293,9 +293,17 @@ type BasicConstraints struct {
 // Set sets the basic constraints to the given certificate.
 func (b BasicConstraints) Set(c *x509.Certificate) {
 	c.IsCA = b.IsCA
-	c.MaxPathLen = b.MaxPathLen
-	if c.MaxPathLen < 0 {
-		c.MaxPathLen = -1
+	if c.IsCA {
+		c.BasicConstraintsValid = true
+		switch {
+		case b.MaxPathLen == 0:
+			c.MaxPathLen = b.MaxPathLen
+			c.MaxPathLenZero = true
+		case b.MaxPathLen < 0:
+			c.MaxPathLen = -1
+		default:
+			c.MaxPathLen = b.MaxPathLen
+		}
 	}
 }