From 36b619a06e5a2a296058f8dbf11a74f95cb3f71d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 24 Feb 2015 13:52:21 +0000 Subject: [PATCH] Document -no_explicit Reviewed-by: Rich Salz (cherry picked from commit 384dee51242e950c56b3bac32145957bfbf3cd4b) --- doc/apps/ocsp.pod | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 38f026afc1..2372b373cd 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -40,6 +40,7 @@ B B [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] +[B<-no_explicit>] [B<-port num>] [B<-index file>] [B<-CA file>] @@ -189,6 +190,10 @@ testing purposes. do not use certificates in the response as additional untrusted CA certificates. +=item B<-no_explicit> + +do not explicitly trust the root CA if it is set to be trusted for OCSP signing. + =item B<-no_cert_checks> don't perform any additional checks on the OCSP response signers certificate. @@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. -Otherwise the root CA of the OCSP responders CA is checked to see if it -is trusted for OCSP signing. If it is the OCSP verify succeeds. +Otherwise, if B<-no_explicit> is B set the root CA of the OCSP responders +CA is checked to see if it is trusted for OCSP signing. If it is the OCSP +verify succeeds. If none of these checks is successful then the OCSP verify fails. -- 2.34.1