diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-02-24 13:52:21 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-02-24 15:27:33 +0000 |
commit | 384dee51242e950c56b3bac32145957bfbf3cd4b (patch) | |
tree | 7456b4f0e3fbd7a5565363f163a6b055db0463fb /doc/apps | |
parent | 775b669de3ba84d8dce16ff5e2bdffe263c05c4b (diff) | |
download | openssl-384dee51242e950c56b3bac32145957bfbf3cd4b.zip openssl-384dee51242e950c56b3bac32145957bfbf3cd4b.tar.gz openssl-384dee51242e950c56b3bac32145957bfbf3cd4b.tar.bz2 |
Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/ocsp.pod | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 296b13c..b32086c 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -66,6 +66,7 @@ B<openssl> B<ocsp> [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] +[B<-no_explicit>] [B<-port num>] [B<-index file>] [B<-CA file>] @@ -226,6 +227,10 @@ testing purposes. do not use certificates in the response as additional untrusted CA certificates. +=item B<-no_explicit> + +do not explicitly trust the root CA if it is set to be trusted for OCSP signing. + =item B<-no_cert_checks> don't perform any additional checks on the OCSP response signers certificate. @@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. -Otherwise the root CA of the OCSP responders CA is checked to see if it -is trusted for OCSP signing. If it is the OCSP verify succeeds. +Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders +CA is checked to see if it is trusted for OCSP signing. If it is the OCSP +verify succeeds. If none of these checks is successful then the OCSP verify fails. |