Here's the full code block where we're validating the certificates. Effectively we're given the certificate chain and we attempt initially to validate without it against the standard installed certs, and then add the custom ones and try again (ignoring hostname for custom certs). It's in the second verification that it's failing solely because of the temporal validity issue: sec_protocol_options_set_verify_block(securityOptions, { (_, trust, completionHandler) in self.logger.debug("Entering Verify Block") let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() isValidCertificate = SecTrustEvaluateWithError(secTrust, &error) if !isValidCertificate { self.logger.debug("Server not trusted with default certs, seeing if we have custom ones") var customCerts: [SecCertificate] = [] let trustCerts = SettingsStore.global.serverCertificateTruststore self.logger.debug("Truststore contains \(trustCerts.count) cert(s)") if !trustCerts.isEmpty { self.logger.debug("Trusting Trust Store Certs") trustCerts.forEach { cert in if let convertedCert = SecCertificateCreateWithData(nil, cert as CFData) { customCerts.append(convertedCert) } } } if !customCerts.isEmpty { // Disable hostname validation if using custom certs let sslWithoutHostnamePolicy = SecPolicyCreateSSL(true, nil) SecTrustSetPolicies(secTrust, [sslWithoutHostnamePolicy] as CFArray) SecTrustSetAnchorCertificates(secTrust, customCerts as CFArray) } // Make sure we still trust our normal root certificates SecTrustSetAnchorCertificatesOnly(secTrust, false) // Try again isValidCertificate = SecTrustEvaluateWithError(secTrust, &error) if let error { self.logger.error("SecTrustEvaluate failed with error: \(error)") } } completionHandler(isValidCertificate) }, .global())

Thanks as always Quinn! In running Console I don't see any specific messages about leaf validity period, only these two messages. I have opened a support request already that has the domain we're attaching to when experiencing the issue if that's helpful. As far as we can tell these certificates meet all of the requirements from that article - for example, it's only trusted for 394 days, not expired, etc. These aren't self-signed, but root-trusted certificates. Happy to dig in more if there's something else I can provide!

So I'm reminded I could inspect the CFError and set individual policies, for example we ignore Hostname policies when using custom certificates: let sslWithoutHostnamePolicy = SecPolicyCreateSSL(true, nil) SecTrustSetPolicies(secTrust, [sslWithoutHostnamePolicy] as CFArray) SecTrustSetAnchorCertificates(secTrust, customCerts as CFArray) SecTrustSetAnchorCertificatesOnly(secTrust, false) So if there's a policy we could use for validity to disable that check, I'm definitely OK with that as a workaround.