Document -no_explicit

Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 384dee51242e950c56b3bac32145957bfbf3cd4b)
author: Dr. Stephen Henson <steve@openssl.org> 2015-02-24 13:52:21 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2015-02-24 15:29:07 +0000
commit: 6e161ee39ede0686dc6ae9af115bf1c132f05db0 (patch)
tree: 8438caddb5bf1e9d98f552c241d4bc74f654ef74
parent: 0e5e7af95584281548841cc8f3da5298a84eb5f9 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 38f026afc1..2372b373cd 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -40,6 +40,7 @@ B<openssl> B<ocsp>
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]
+[B<-no_explicit>]
 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]
@@ -189,6 +190,10 @@ testing purposes.
 do not use certificates in the response as additional untrusted CA
 certificates.
 
+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
 =item B<-no_cert_checks>
 
 don't perform any additional checks on the OCSP response signers certificate.
@@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.
 
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
 
 If none of these checks is successful then the OCSP verify fails.
author	Dr. Stephen Henson <steve@openssl.org>	2015-02-24 13:52:21 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2015-02-24 15:29:07 +0000
commit	6e161ee39ede0686dc6ae9af115bf1c132f05db0 (patch)
tree	8438caddb5bf1e9d98f552c241d4bc74f654ef74
parent	0e5e7af95584281548841cc8f3da5298a84eb5f9 (diff)