Thanks as always Quinn! In running Console I don't see any specific messages about leaf validity period, only these two messages. I have opened a support request already that has the domain we're attaching to when experiencing the issue if that's helpful. As far as we can tell these certificates meet all of the requirements from that article - for example, it's only trusted for 394 days, not expired, etc. These aren't self-signed, but root-trusted certificates. Happy to dig in more if there's something else I can provide!

So I'm reminded I could inspect the CFError and set individual policies, for example we ignore Hostname policies when using custom certificates: let sslWithoutHostnamePolicy = SecPolicyCreateSSL(true, nil) SecTrustSetPolicies(secTrust, [sslWithoutHostnamePolicy] as CFArray) SecTrustSetAnchorCertificates(secTrust, customCerts as CFArray) SecTrustSetAnchorCertificatesOnly(secTrust, false) So if there's a policy we could use for validity to disable that check, I'm definitely OK with that as a workaround.