[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
do not use certificates in the response as additional untrusted CA
certificates.
do not use certificates in the response as additional untrusted CA
certificates.
+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
If none of these checks is successful then the OCSP verify fails.
If none of these checks is successful then the OCSP verify fails.