--- a/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
@@ -969,8 +969,12 @@
 
     if [ -n "${OCSP}" ] ; then
 
-        ISSUER_CERT="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
-        if [ -z "${ISSUER_CERT}" ] || [ ! -w "${ISSUER_CERT}" ] ; then
+        ISSUER_CERT_TMP="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
+        if [ -z "${ISSUER_CERT_TMP}" ] || [ ! -w "${ISSUER_CERT_TMP}" ] ; then
+            unknown 'temporary file creation failure.'
+        fi
+        ISSUER_CERT_TMP2="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
+        if [ -z "${ISSUER_CERT_TMP2}" ] || [ ! -w "${ISSUER_CERT_TMP2}" ] ; then
             unknown 'temporary file creation failure.'
         fi
 
@@ -992,7 +996,7 @@
 
     # Cleanup before program termination
     # Using named signals to be POSIX compliant
-    trap 'rm -f $CERT $ERROR $ISSUER_CERT' EXIT HUP INT QUIT TERM
+    trap 'rm -f $CERT $ERROR $ISSUER_CERT_TMP $ISSUER_CERT_TMP2' EXIT HUP INT QUIT TERM
 
     fetch_certificate
 
@@ -1348,8 +1352,11 @@
     # Check the validity
     if [ -z "${NOEXP}" ] ; then
 
+        if [ -n "${DEBUG}" ] ; then
+            echo "[DBG] Checking expiration date"
+        fi
         # We always check expired certificates
-        if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 ; then
+        if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
             critical "certificate is expired (was valid until $DATE)"
         fi
 
@@ -1359,7 +1366,7 @@
                 echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
             fi
 
-            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) ; then
+            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) > /dev/null ; then
                 critical "certificate will expire on $DATE"
             fi
 
@@ -1371,7 +1378,7 @@
                 echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( WARNING * 86400 ))"
             fi
 
-            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) ; then
+            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) > /dev/null ; then
                 warning "certificate will expire on $DATE"
             fi
 
@@ -1504,34 +1511,36 @@
     if [ -n "${OCSP}" ]; then
 
 	if [ -n "${DEBUG}" ] ; then
-	    echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT}"
+	    echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT_TMP}"
 	fi
 	
-        curl --silent "${ISSUER_URI}" > "${ISSUER_CERT}"
+        curl --silent "${ISSUER_URI}" > "${ISSUER_CERT_TMP}"
 
 	if [ -n "${DEBUG}" ] ; then
-	    echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT}" | sed 's/.*://' )"
+	    echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
 	fi
 	
 	# check the result
-	if ! "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': (ASCII|PEM)' ; then
+	if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': (ASCII|PEM)' ; then
 	
-            if "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': data' ; then
+            if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': data' ; then
 		
 		if [ -n "${DEBUG}" ] ; then
 		    echo "[DBG] OCSP: converting issuer certificate from DER to PEM"
 		fi
 		
-		openssl x509 -inform DER -outform PEM -in "${ISSUER_CERT}" -out "${ISSUER_CERT}"
+    cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
+
+    $OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
 
-	    else
+	else
 
 		unknown "Unable to fetch OCSP issuer certificate."
 
-	    fi
+	fi
 		
 		
-        fi
+    fi
 
 	if [ -n "${DEBUG}" ] ; then
 
@@ -1543,7 +1552,7 @@
 	    
 	    echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
 	    
-	    cp "${ISSUER_CERT}" "${FILE_NAME}"
+	    cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
 	fi
 	
         OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s@.*//\([^/]\+\)\(/.*\)\?\$@\1@g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
@@ -1563,33 +1572,54 @@
 		echo "[DBG] openssl ocsp support the -header option"
 	    fi
 	    
+      # the -header option was first accepting key and value separated by space. The newer versions are using key=value
+      KEYVALUE=""
+      if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
+          if [ -n "${DEBUG}" ] ; then
+              echo "[DBG] openssl ocsp -header requires 'key=value'"
+          fi
+          KEYVALUE=1
+      else
+          if [ -n "${DEBUG}" ] ; then
+              echo "[DBG] openssl ocsp -header requires 'key value'"
+          fi
+      fi  
+
 	    # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
 	    # shellcheck disable=SC2154
 	    if [ -n "${http_proxy}" ] ; then
 		HTTP_PROXY="${http_proxy}"
 	    fi
 
-            if [ -n "${HTTP_PROXY:-}" ] ; then
+      if [ -n "${HTTP_PROXY:-}" ] ; then
+          if [ -n "${KEYVALUE}" ] ; then          
+              if [ -n "${DEBUG}" ] ; then
+                  echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+              fi
+              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+          else
+              if [ -n "${DEBUG}" ] ; then
+                  echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+              fi
+              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
 		
-		if [ -n "${DEBUG}" ] ; then
-		    echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
-		fi
-
-                OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
-
-            else
-		
-		if [ -n "${DEBUG}" ] ; then
-		    echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
-		fi
-
-                OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
+		      fi
+      fi
 
-
-            fi
+      if [ -n "${KEYVALUE}" ] ; then
+          if [ -n "${DEBUG}" ] ; then
+              echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+          fi
+          OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+      else
+          if [ -n "${DEBUG}" ] ; then
+              echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+          fi
+              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+      fi
 	    
 	    if [ -n "${DEBUG}" ] ; then
-		echo "[DBG] OCSP: response = ${OCSP_RESP}"	
+		      echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
 	    fi
 	    
             if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
@@ -1597,9 +1627,9 @@
             elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then	    
 	    
                 if [ -n "${HTTP_PROXY:-}" ] ; then
-                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
                 else
-                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
                 fi
 		critical "${OCSP_RESP}"
 	    
