You misunderstand how it's supposed to work. OpenSSL does not prevent you from signing anything. It can't; for example, you could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the signing CA was not legitimate (pathlen
exceeded).
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
