diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 3d8370b..46ef722 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -248,7 +248,13 @@ extern "C" {
      */
     GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
     GNUTLS_CERT_SIGNER_NOT_CA = 128,
-    GNUTLS_CERT_INSECURE_ALGORITHM = 256
+    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
+
+    /* Time verification.
+     */
+    GNUTLS_CERT_NOT_ACTIVATED = 512,
+    GNUTLS_CERT_EXPIRED = 1024
+
   } gnutls_certificate_status_t;
 
   typedef enum
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 9c2800e..f554e47 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -504,7 +504,13 @@ extern "C"
 
     /* Allow certificates to be signed using the broken MD5 algorithm.
      */
-    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+
+    /* Disable checking of activation and expiration validity
+     * periods of certificate chains. Don't set this unless you
+     * understand the security implications.
+     */
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
   } gnutls_certificate_verify_flags;
 
   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 599eff7..399831e 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
     }
 #endif
 
+  /* Check activation/expiration times
+   */
+  if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+    {
+      time_t t, now = time (0);
+
+      for (i = 0; i < clist_size; i++)
+	{
+	  t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
+	  if (t == (time_t) -1 || now < t)
+	    {
+	      status |= GNUTLS_CERT_NOT_ACTIVATED;
+	      status |= GNUTLS_CERT_INVALID;
+	      return status;
+	    }
+
+	  t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
+	  if (t == (time_t) -1 || now > t)
+	    {
+	      status |= GNUTLS_CERT_EXPIRED;
+	      status |= GNUTLS_CERT_INVALID;
+	      return status;
+	    }
+	}
+    }
+
   /* Verify the certificate path (chain)
    */
   for (i = clist_size - 1; i > 0; i--)
diff --git a/src/common.c b/src/common.c
index c383d7d..226fdb7 100644
--- a/src/common.c
+++ b/src/common.c
@@ -272,6 +272,10 @@ print_cert_vrfy (gnutls_session_t session)
 	printf ("- Peer's certificate issuer is not a CA\n");
       if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
 	printf ("- Peer's certificate chain uses insecure algorithm\n");
+      if (status & GNUTLS_CERT_NOT_ACTIVATED)
+	printf ("- Peer's certificate chain uses not yet valid certificate\n");
+      if (status & GNUTLS_CERT_EXPIRED)
+	printf ("- Peer's certificate chain uses expired certificate\n");
       if (status & GNUTLS_CERT_INVALID)
 	printf ("- Peer's certificate is NOT trusted\n");
       else