Document -no_explicit

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 384dee51242e950c56b3bac32145957bfbf3cd4b)

diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 38f026afc1b679af6cd950587c9dc45b0357d3c7..2372b373cdc1cdbda7247b626b71c3ad12123569 100644 (file)
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -40,6 +40,7 @@ B<openssl> B<ocsp>
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]

+[B<-no_explicit>]

 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]
 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]


@@ -189,6 +190,10 @@ testing purposes.
 do not use certificates in the response as additional untrusted CA
 certificates.
 
 do not use certificates in the response as additional untrusted CA
 certificates.
 

+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+

 =item B<-no_cert_checks>
 
 don't perform any additional checks on the OCSP response signers certificate.
 =item B<-no_cert_checks>
 
 don't perform any additional checks on the OCSP response signers certificate.


@@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.
 
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.
 

-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.

 
 If none of these checks is successful then the OCSP verify fails.
 
 
 If none of these checks is successful then the OCSP verify fails.