Self signed certificate path constraint exceeded
The self-issued refers to a certificate in the chain that is issued to itself - that is Subject and Issuer are the same. This is usually used for key changeover purposes and can be ignored otherwise.
Your problem arises because you've placed the basicConstraint pathLenConstraint of 0 on the Root. With a value of 0, it should be on the last CA in the chain - the one you call Intermediate CA.
From RFC 5280:
A pathLenConstraint of zero indicates that no [non- self-issued] intermediate CA certificates may follow in a valid certification path
It's wise not to a pathLenConstraint on your Root as you may not know at the time of signing how your subordinate CAs will pad out over time.
If the root has a MaxPathLen=0
, then it can only issue end-entity certificates and no intermediate CA certificates can follow. The Root CA is self-signed.
In your case, the Root has issued an intermediate CA and that is not allowed. And will get the error you described.
non-self-issued intermediate certificates
This refers to intermediate CAs that can follow the Root that are issued by that Root.
Or it is not valid, because the intermediate counts as as a non-self-issued certificate.
That is correct the intermediate exceeds the MaxPathlen = 0.
Self
Refers to the Root.
Root CA and maxPathLen
The root CA with a maxPathLen >= 1 will work for the scenario presented. It can have an intermediate CA and that intermediate can sign end-entity certs.
Root -> ICA -> EE
However with that maxPathLen=1, the following will not work:
Root -> ICA-1 -> ICA-2 -> EE