diff --git a/.changelog/5107.txt b/.changelog/5107.txt
new file mode 100644
index 00000000000..5a61a459bed
--- /dev/null
+++ b/.changelog/5107.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+privateca: fixed the creation of subordinate `google_privateca_certificate_authority` with `max_issuer_path_length = 0`.
+```
diff --git a/google/resource_privateca_ca_pool.go b/google/resource_privateca_ca_pool.go
index c6725ed3fc2..fc35846359f 100644
--- a/google/resource_privateca_ca_pool.go
+++ b/google/resource_privateca_ca_pool.go
@@ -1408,7 +1408,7 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptions(v interface{}, d
 	transformedMaxIssuerPathLength, err := expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 
diff --git a/google/resource_privateca_certificate_authority.go b/google/resource_privateca_certificate_authority.go
index 559c616e84f..9c3dc72656c 100644
--- a/google/resource_privateca_certificate_authority.go
+++ b/google/resource_privateca_certificate_authority.go
@@ -1318,7 +1318,7 @@ func expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptions(v interface{},
 	transformedMaxIssuerPathLength, err := expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 
diff --git a/google/resource_privateca_certificate_authority_generated_test.go b/google/resource_privateca_certificate_authority_generated_test.go
index a1348e206be..a91f6860c2b 100644
--- a/google/resource_privateca_certificate_authority_generated_test.go
+++ b/google/resource_privateca_certificate_authority_generated_test.go
@@ -150,7 +150,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {
diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown
index 65eea490089..6c703ad0737 100644
--- a/website/docs/r/privateca_certificate_authority.html.markdown
+++ b/website/docs/r/privateca_certificate_authority.html.markdown
@@ -117,7 +117,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {