diff --git a/hal/inc/tls_config.h b/hal/inc/tls_config.h
index c91f180a..0c662bc6 100644
--- a/hal/inc/tls_config.h
+++ b/hal/inc/tls_config.h
@@ -92,6 +92,10 @@ typedef enum {
 #define TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED 14
 #define TLS_EVENT_CODE_ALM_NO_CIPHER 15
 #define TLS_EVENT_CODE_INF_SESSION_ESTABLISHED 16
+#define TLS_EVENT_CODE_WRN_CERT_EXPIRED 17
+#define TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID 18
+#define TLS_EVENT_CODE_WRN_CRL_EXPIRED 19
+#define TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID 20
 
 typedef struct sTLSConnection* TLSConnection;
 
@@ -165,6 +169,14 @@ TLSConfiguration_setSessionResumptionInterval(TLSConfiguration self, int interva
 PAL_API void
 TLSConfiguration_setChainValidation(TLSConfiguration self, bool value);
 
+/**
+ * \brief Enabled or disables the verification of validity times for certificates and CRLs
+ *
+ * \param value true to enable time validation, false to disable (enabled by default)
+ */
+PAL_API void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value);
+
 /**
  * \brief Set if only known certificates are accepted.
  *
diff --git a/hal/tls/mbedtls/tls_mbedtls.c b/hal/tls/mbedtls/tls_mbedtls.c
index 94027467..e4feb5c4 100644
--- a/hal/tls/mbedtls/tls_mbedtls.c
+++ b/hal/tls/mbedtls/tls_mbedtls.c
@@ -65,6 +65,7 @@ struct sTLSConfiguration {
 
     bool chainValidation;
     bool allowOnlyKnownCertificates;
+    bool timeValidation;
 
     /* TLS session renegotiation interval in milliseconds */
     int renegotiationTimeInMs;
@@ -179,7 +180,10 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
             }
 
             if (certMatches)
-                *flags = 0;
+            {
+                if (self->tlsConfig->chainValidation == false)
+                    *flags = 0;
+            }
             else
             {
                 raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self);
@@ -189,6 +193,37 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
             }
         }
 
+        if (self->tlsConfig->timeValidation == false)
+        {
+            if (*flags & MBEDTLS_X509_BADCERT_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_EXPIRED, "Warning: certificate validation: using expired certificate", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_EXPIRED, "Warning: certificate validation: using expired CRL", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCERT_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID, "Warning: certificate validation: using certificate with validity in future", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID, "Warning: certificate validation: using CRL with validity in future", self);
+            }
+        }
+
         if (self->storePeerCert)
         {
             if (*flags == 0)
@@ -205,6 +240,8 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
         }
     }
 
+    printf(" flags: %u\n", *flags);
+
     return 0;
 }
 
@@ -341,6 +378,9 @@ TLSConfiguration_create()
         /* default behavior is to allow all certificates that are signed by the CA */
         self->chainValidation = true;
         self->allowOnlyKnownCertificates = false;
+
+        /* default behaviour is to check for valid-from and expiration times */
+        self->timeValidation = true;
         self->setupComplete = false;
 
         self->eventHandler = NULL;
@@ -423,6 +463,12 @@ TLSConfiguration_setChainValidation(TLSConfiguration self, bool value)
     self->chainValidation = value;
 }
 
+void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value)
+{
+    self->timeValidation = value;
+}
+
 void
 TLSConfiguration_setAllowOnlyKnownCertificates(TLSConfiguration self, bool value)
 {
diff --git a/hal/tls/mbedtls3/tls_mbedtls.c b/hal/tls/mbedtls3/tls_mbedtls.c
index e784797d..ee1edd66 100644
--- a/hal/tls/mbedtls3/tls_mbedtls.c
+++ b/hal/tls/mbedtls3/tls_mbedtls.c
@@ -68,6 +68,7 @@ struct sTLSConfiguration {
 
     bool chainValidation;
     bool allowOnlyKnownCertificates;
+    bool timeValidation;
 
     /* TLS session renegotiation interval in milliseconds */
     int renegotiationTimeInMs;
@@ -181,7 +182,10 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
             }
 
             if (certMatches)
-                *flags = 0;
+            {
+                if (self->tlsConfig->chainValidation == false)
+                    *flags = 0;
+            }
             else
             {
                 raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self);
@@ -191,6 +195,37 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
             }
         }
 
+        if (self->tlsConfig->timeValidation == false)
+        {
+            if (*flags & MBEDTLS_X509_BADCERT_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_EXPIRED, "Warning: certificate validation: using expired certificate", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_EXPIRED, "Warning: certificate validation: using expired CRL", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCERT_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID, "Warning: certificate validation: using certificate with validity in future", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID, "Warning: certificate validation: using CRL with validity in future", self);
+            }
+        }
+
         if (self->storePeerCert)
         {
             if (*flags == 0)
@@ -349,6 +384,9 @@ TLSConfiguration_create()
         /* default behavior is to allow all certificates that are signed by the CA */
         self->chainValidation = true;
         self->allowOnlyKnownCertificates = false;
+
+        /* default behaviour is to check for valid-from and expiration times */
+        self->timeValidation = true;
         self->setupComplete = false;
 
         self->eventHandler = NULL;
@@ -441,6 +479,12 @@ TLSConfiguration_setChainValidation(TLSConfiguration self, bool value)
     self->chainValidation = value;
 }
 
+void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value)
+{
+    self->timeValidation = value;
+}
+
 void
 TLSConfiguration_setAllowOnlyKnownCertificates(TLSConfiguration self, bool value)
 {