There's no documentation available for the -no_explicit option of
openssl ocsp:
https://www.openssl.org/docs/apps/ocsp.html
Dr. Henson explained the meaning of the option and of the corresponding
flag OCSP_NOEXPLICIT for OCSP_basic_verify() like this on the
openssl-users list:
If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
comes under:
1. Matches a local configuration of OCSP signing authority for the
certificate in question
or alternatively:
Additional acceptance or rejection criteria may apply to either the
response itself or to the certificate used to validate the signature
on the response.
from RFC2560 et al.
If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
is disabled.
--
Stephan
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev