[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Stephan Mühlstrasser stm at pdflib.com
Tue Feb 24 16:00:54 UTC 2015

Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson:

> If the responder root CA is set to be trusted for OCSP signing then it can be
> used to sign OCSP responses for any certificate (aka a global responder). This
> comes under:
>     1. Matches a local configuration of OCSP signing authority for the
>     certificate in question
> or alternatively:
>     Additional acceptance or rejection criteria may apply to either the
>     response itself or to the certificate used to validate the signature
>     on the response.
> from RFC2560 et al.
> If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
> is disabled.

Do I understand it correctly then that "a local configuration of OCSP 
signing authority" here means that it is a deliberate choice inside 
OpenSSL itself to look for the OCSPSigning flag in the extended key 
usage of the root CA, although RFC 2560 does not say so?


More information about the openssl-users mailing list