diff --git a/ChangeLog b/ChangeLog
index e9b67908f..a1afbaae6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,9 @@ Bugfix
    * Fix issue in Makefile that prevented building using armar. #386
    * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
      ECDSA was disabled in config.h . The leak didn't occur by default.
+   * Fix an issue that caused valid certificates being rejected whenever an
+   expired or not yet valid version of the trusted certificate was before the
+   valid version in the trusted certificate list.
 
 Changes
    * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 3eaf5bc14..334b8ef51 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1932,6 +1932,16 @@ static int x509_crt_verify_top(
             continue;
         }
 
+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+        {
+            continue;
+        }
+
+        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        {
+            continue;
+        }
+
         if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                            child->sig_md, hash, mbedtls_md_get_size( md_info ),
                            child->sig.p, child->sig.len ) != 0 )
@@ -1967,12 +1977,6 @@ static int x509_crt_verify_top(
         ((void) ca_crl);
 #endif
 
-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
-        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,