For the altNames does DNS: need to be included? i.e. should the cert altName be: DNS:host.example.com OR.. host.example.com ? Upgrading to Yosemite seems to have fixed the issue anyway (in case it helps others!).