diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 01f07689e..b8ddb2864 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -471,6 +471,11 @@ command = {
 		type = "string"
 		help = "Lifetime of certificate"
 	}
+	option = {
+		long = "path-length"
+		type = "integer"
+		help = "Maximum path length (for CA or proxy certificates)"
+	}
 	option = {
 		long = "hostname"
 		type = "strings"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 659d7afa8..ac5235bdd 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1339,12 +1339,12 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     eval_types(context, tbs, opt);
 
     if (opt->issue_ca_flag) {
-	ret = hx509_ca_tbs_set_ca(context, tbs, -1);
+	ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
 	if (ret)
 	    hx509_err(context, ret, 1, "hx509_ca_tbs_set_ca");
     }
     if (opt->issue_proxy_flag) {
-	ret = hx509_ca_tbs_set_proxy(context, tbs, 1);
+	ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
 	if (ret)
 	    hx509_err(context, ret, 1, "hx509_ca_tbs_set_proxy");
     }