Document -no_explicit

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 296b13ce506e622d4e9cd1c33138fd7a328a1a7c..b32086cd2a8d1599451621e64bc4b9b5ef46150c 100644 (file)
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -66,6 +66,7 @@ B<openssl> B<ocsp>
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]

+[B<-no_explicit>]

 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]
 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]


@@ -226,6 +227,10 @@ testing purposes.
 do not use certificates in the response as additional untrusted CA
 certificates.
 
 do not use certificates in the response as additional untrusted CA
 certificates.
 

+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+

 =item B<-no_cert_checks>
 
 don't perform any additional checks on the OCSP response signers certificate.
 =item B<-no_cert_checks>
 
 don't perform any additional checks on the OCSP response signers certificate.


@@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.
 
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.
 

-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.

 
 If none of these checks is successful then the OCSP verify fails.
 
 
 If none of these checks is successful then the OCSP verify fails.