[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Dr. Stephen Henson
steve at openssl.org
Tue Feb 24 18:24:30 UTC 2015
On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote:
>
> Do I understand it correctly then that "a local configuration of
> OCSP signing authority" here means that it is a deliberate choice
> inside OpenSSL itself to look for the OCSPSigning flag in the
> extended key usage of the root CA, although RFC 2560 does not say
> so?
>
No it's a separate thing called a "trust setting" which is not part of the
certificate itself . This is something which has to be explicitly configured
to trust that root CA for OCSPSigning.
It's OpenSSL's version of the trust settings you see in browsers.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list