diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 12537f9c0..fca3b9b8e 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -683,15 +683,21 @@ int
 ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
 {
     hx509_certs reqcerts, pool;
-    heim_octet_string req;
+    heim_octet_string req, nonce_data, *nonce = &nonce_data;
     hx509_lock lock;
     int i, ret;
     char *file;
     const char *url = "/";
 
+    memset(&nonce, 0, sizeof(nonce));
+
     hx509_lock_init(context, &lock);
     lock_strings(lock, &opt->pass_strings);
 
+    /* no nonce */
+    if (!opt->nonce_flag)
+	nonce = NULL;
+
     if (opt->url_path_string)
 	url = opt->url_path_string;
 
@@ -715,7 +721,7 @@ ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
 	    errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
     }
 
-    ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, NULL);
+    ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
     if (ret)
 	errx(1, "hx509_ocsp_request: req: %d", ret);
 	
@@ -737,6 +743,9 @@ ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
 	fclose(f);
     }
 
+    if (nonce)
+	free_octet_string(nonce);
+
     return 0;
 }