diff --git a/lib/x509.js b/lib/x509.js
index b4a4f6d7a..21919fdf9 100644
--- a/lib/x509.js
+++ b/lib/x509.js
@@ -3186,10 +3186,10 @@ pki.verifyCertificateChain = function(caStore, chain, options) {
           error: pki.certificateError.bad_certificate
         };
       }
-      // if error is not null and keyUsage is available, then we know it
-      // has keyCertSign and there is a basic constraints extension too,
-      // which means we can check pathLenConstraint (if it exists)
-      if(error === null && keyUsageExt !== null &&
+      // if error is not null and basic constraints extension exists,
+      // check pathLenConstraint (if it exists); this must be enforced
+      // regardless of whether keyUsage extension is present
+      if(error === null && bcExt !== null &&
         'pathLenConstraint' in bcExt) {
         // pathLen is the maximum # of intermediate CA certs that can be
         // found between the current certificate and the end-entity (depth 0)