Loading doc/apps/ocsp.pod +8 −2 Original line number Diff line number Diff line Loading @@ -66,6 +66,7 @@ B<openssl> B<ocsp> [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] [B<-no_explicit>] [B<-port num>] [B<-index file>] [B<-CA file>] Loading Loading @@ -226,6 +227,10 @@ testing purposes. do not use certificates in the response as additional untrusted CA certificates. =item B<-no_explicit> do not explicitly trust the root CA if it is set to be trusted for OCSP signing. =item B<-no_cert_checks> don't perform any additional checks on the OCSP response signers certificate. Loading Loading @@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. Otherwise the root CA of the OCSP responders CA is checked to see if it is trusted for OCSP signing. If it is the OCSP verify succeeds. Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders CA is checked to see if it is trusted for OCSP signing. If it is the OCSP verify succeeds. If none of these checks is successful then the OCSP verify fails. Loading Loading
doc/apps/ocsp.pod +8 −2 Original line number Diff line number Diff line Loading @@ -66,6 +66,7 @@ B<openssl> B<ocsp> [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] [B<-no_explicit>] [B<-port num>] [B<-index file>] [B<-CA file>] Loading Loading @@ -226,6 +227,10 @@ testing purposes. do not use certificates in the response as additional untrusted CA certificates. =item B<-no_explicit> do not explicitly trust the root CA if it is set to be trusted for OCSP signing. =item B<-no_cert_checks> don't perform any additional checks on the OCSP response signers certificate. Loading Loading @@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. Otherwise the root CA of the OCSP responders CA is checked to see if it is trusted for OCSP signing. If it is the OCSP verify succeeds. Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders CA is checked to see if it is trusted for OCSP signing. If it is the OCSP verify succeeds. If none of these checks is successful then the OCSP verify fails. Loading
Rich Salz <rsalz@openssl.org>Rich Salz <rsalz@openssl.org>