diff --git a/Changelog.md b/Changelog.md
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,9 @@
+### 0.3.1.0
+
+- Add function *getOCSPResponseVerificationData'* which is similar to
+  *getOCSPResponseVerificationData* except it accepts the OCSP response payload
+  in *ASN.1* format. See how it can be used in the *client-ocsp* example.
+
 ### 0.3.0.0
 
 - Add function *getOCSPResponseVerificationData* to help verify the signature of
diff --git a/Data/X509/OCSP.hs b/Data/X509/OCSP.hs
--- a/Data/X509/OCSP.hs
+++ b/Data/X509/OCSP.hs
@@ -28,9 +28,10 @@
                       ,OCSPResponseCertData (..)
                       ,OCSPResponseCertStatus (..)
                       ,decodeOCSPResponse
-    -- * OCSP response verification
+    -- ** OCSP response verification
                       ,OCSPResponseVerificationData (..)
                       ,getOCSPResponseVerificationData
+                      ,getOCSPResponseVerificationData'
                       ) where
 
 import Data.X509
@@ -250,10 +251,10 @@
 --
 -- This data can be used to verify the signature of the OCSP response with
 -- 'Data.X509.Validation.verifySignature'. The response is signed with
--- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorthm
--- /ocspRespSignatureAlg/ are what was used to sign the response. The
+-- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorithm
+-- /ocspRespSignatureAlg/ are what has been used to sign the response. The
 -- verification process may require the public key of the issuer certificate
--- if it's not attached in /ocspRespCerts/.
+-- if it's not been attached in /ocspRespCerts/.
 --
 -- See details of signing and verification of OCSP responses in /rfc6960/.
 --
@@ -264,7 +265,7 @@
 --
 -- -- ...
 --
--- verifySignature\' :: 'OCSPResponse' -> 'Certificate' -> 'Data.X509.Validation.SignatureVerification'
+-- verifySignature\' :: 'OCSPResponse' -> 'Certificate' -> t'Data.X509.Validation.SignatureVerification'
 -- verifySignature\' resp v'Certificate' {..}
 --     | Just __/OCSPResponseVerificationData/__ {..} <-
 --         'getOCSPResponseVerificationData' resp =
@@ -276,6 +277,10 @@
 -- Note that the issuer certificate gets passed to /verifySignature\'/ rather
 -- than looked up in /ocspRespCerts/. The OCSP Signature Authority Delegation
 -- is not checked in the function.
+--
+-- To verify update times, check the values of 'ocspRespCertThisUpdate' and
+-- 'ocspRespCertNextUpdate' which both must have been constructed as
+-- 'TimeGeneralized'.
 data OCSPResponseVerificationData =
     OCSPResponseVerificationData { ocspRespDer :: ByteString
                                    -- ^ Response data (DER-encoded)
@@ -287,44 +292,55 @@
                                    -- ^ Certificates
                                  } deriving (Show, Eq)
 
--- | Get verification data from OCSP response payload.
+-- | Get verification data from OCSP response.
 --
 -- The function returns /Nothing/ on unexpected ASN.1 contents.
-getOCSPResponseVerificationData :: OCSPResponse ->
-    Maybe OCSPResponseVerificationData
-getOCSPResponseVerificationData resp
-    | Just resp' <- ocspRespPayload resp
-    , Start Sequence : Start Sequence : c1 <- ocspRespASN1 resp' = do
-        let (wrapInSequence -> resp'', next) = getConstructedEnd 0 c1
-            der = encodeASN1' DER resp''
-        case next of
-            Start Sequence : c2 -> do
-                let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2
-                (alg', _) <- either (const Nothing) Just $ fromASN1 alg
-                case next' of
-                    BitString (BitArray _ sig) : c3
-                        | c3 == [End Sequence] ->
+getOCSPResponseVerificationData
+    :: OCSPResponse             -- ^ OCSP response
+    -> Maybe OCSPResponseVerificationData
+getOCSPResponseVerificationData (ocspRespPayload -> Just pl) =
+    getOCSPResponseVerificationData' $ ocspRespASN1 pl
+getOCSPResponseVerificationData _ = Nothing
+
+-- | Get verification data from OCSP response payload.
+--
+-- This is a variant of 'getOCSPResponseVerificationData' that accepts the
+-- OCSP response payload in ASN.1 format. The function returns /Nothing/ on
+-- unexpected ASN.1 contents.
+getOCSPResponseVerificationData'
+    :: [ASN1]                   -- ^ OCSP response payload
+    -> Maybe OCSPResponseVerificationData
+getOCSPResponseVerificationData' (Start Sequence : Start Sequence : c1) = do
+    let (wrapInSequence -> resp'', next) = getConstructedEnd 0 c1
+        der = encodeASN1' DER resp''
+    case next of
+        Start Sequence : c2 -> do
+            let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2
+            (alg', _) <- either (const Nothing) Just $ fromASN1 alg
+            case next' of
+                BitString (BitArray _ sig) : c3
+                    | c3 == [End Sequence] ->
+                        Just $ OCSPResponseVerificationData
+                            der alg' sig []
+                    | Start (Container Context 0)
+                        : Start Sequence
+                        : certs <- getCurrentContainerContents c3 -> do
+                            certs' <- reverse <$> collectCerts certs []
                             Just $ OCSPResponseVerificationData
-                                der alg' sig []
-                        | Start (Container Context 0)
-                            : Start Sequence
-                            : certs <- getCurrentContainerContents c3 -> do
-                                certs' <- reverse <$> collectCerts certs []
-                                Just $ OCSPResponseVerificationData
-                                    der alg' sig certs'
-                    _ -> Nothing
-            _ -> Nothing
-    where collectCerts (Start Sequence : c1) certs
-              | (Start Sequence : cert, c2) <- getConstructedEnd 0 c1 =
+                                der alg' sig certs'
+                _ -> Nothing
+        _ -> Nothing
+    where collectCerts (Start Sequence : c4) certs
+              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 =
                   case fromASN1 (getCurrentContainerContents cert) of
-                      Right (cert', _) -> collectCerts c2 $ cert' : certs
+                      Right (cert', _) -> collectCerts c5 $ cert' : certs
                       _ -> Nothing
           collectCerts [End Sequence, End (Container Context 0)] certs =
               Just certs
           collectCerts _ _ =
               Nothing
           wrapInSequence = (Start Sequence :) . (++ [End Sequence])
-getOCSPResponseVerificationData _ = Nothing
+getOCSPResponseVerificationData' _ = Nothing
 
 getCurrentContainerContents :: [ASN1] -> [ASN1]
 getCurrentContainerContents = fst . getConstructedEnd 0
diff --git a/x509-ocsp.cabal b/x509-ocsp.cabal
--- a/x509-ocsp.cabal
+++ b/x509-ocsp.cabal
@@ -1,7 +1,7 @@
 cabal-version:          2.4
 
 name:                   x509-ocsp
-version:                0.3.0.0
+version:                0.3.1.0
 synopsis:               Basic X509 OCSP implementation
 description:            Build X509 OCSP requests and parse responses
 homepage:               https://github.com/lyokha/x509-ocsp
@@ -28,6 +28,9 @@
                       , asn1-encoding
                       , asn1-types
                       , cryptohash-sha1
+
+            -- only needed for haddock to hyperlink entities in code examples:
+                      , crypton-x509-validation
 
   exposed-modules:      Data.X509.AIA
                       , Data.X509.OCSP
