[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
+[B<-no_explicit>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
do not use certificates in the response as additional untrusted CA
certificates.
+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
If none of these checks is successful then the OCSP verify fails.