[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Dr. Stephen Henson steve at openssl.org
Tue Feb 24 18:24:30 UTC 2015

On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote:

> Do I understand it correctly then that "a local configuration of
> OCSP signing authority" here means that it is a deliberate choice
> inside OpenSSL itself to look for the OCSPSigning flag in the
> extended key usage of the root CA, although RFC 2560 does not say
> so?

No it's a separate thing called a "trust setting" which is not part of the
certificate itself . This is something which has to be explicitly configured
to trust that root CA for OCSPSigning.

It's OpenSSL's version of the trust settings you see in browsers.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list