[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Dr. Stephen Henson steve at openssl.org
Tue Feb 24 18:24:30 UTC 2015


On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote:

> 
> Do I understand it correctly then that "a local configuration of
> OCSP signing authority" here means that it is a deliberate choice
> inside OpenSSL itself to look for the OCSPSigning flag in the
> extended key usage of the root CA, although RFC 2560 does not say
> so?
> 

No it's a separate thing called a "trust setting" which is not part of the
certificate itself . This is something which has to be explicitly configured
to trust that root CA for OCSPSigning.

It's OpenSSL's version of the trust settings you see in browsers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


More information about the openssl-users mailing list