错误 - 注册新标识时“路径长度约束的中间体太多”

在hyperledger fabric-ca中，我创建了一系列CA，如：

根CA - 中间CA 1 - 中间CA 2 - 中间CA 3

使用这些CA，在fabric-ca-config.yaml文件的"signing"部分中设置"maxpathlen:5"，在"csr"部分中设置"pathlength:5"
这意味着我的链对至少4个中级CA有效，我可以在中级CA 3中注册新的身份 .

事实上，我可以注册中级CA 3的管理员，但是，当我注册新的身份时，我有这样的错误：

/ register 401 26“不受信任的证书：无法验证证书：x509：路径长度约束的中间体太多”

我做错了什么，以及如何配置这个值
我的配置文件

# Version of config file
version: 1.1.0

# Server's listening port (default: 7054)
port: 7054

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: Admin
       pass: adminpw
       type: client
       affiliation: 
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      ca:
         usage:
           - cert sign
           - crl sign
         expiry: 43800h
         caconstraint:
           isca: true
           maxpathlen: 5
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

csr:
   cn: fabric-ca-server
   names:
      - C: US
        ST: "California"
        L:
        O: Hyperledger
        OU: Fabric
   hosts:
     - ca
     - localhost
   ca:
      expiry: 131400h
      pathlength: 5