@ra_pa - We faced this same issue, and we finally managed to resolve it, I'll post what solved it for us mainly because this post is the first result when you try and Google the error, so hopefully it helps others in the future. The error we were receiving when we ran the staple command: Domain is api.apple-cloudkit.com Certificate trust evaluation did not return expected result. (5) [leaf AnchorApple ChainLength IntermediateMarkerOid LeafMarkersProdAndQA] Certificate trust evaluation for api.apple-cloudkit.com did not return expected result. Missing required extension. Certificate trust evaluation did not return expected result. (5) [leaf AnchorApple ChainLength IntermediateMarkerOid LeafMarkersProdAndQA] Certificate trust evaluation for api.apple-cloudkit.com did not return expected result. Missing required extension. Could not establish secure connection to api.apple-cloudkit.com Response is (null) error is Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask " ), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask , NSLocalizedDescription=cancelled} Size of data is 0 CloudKit's response is inconsistent with expections: (null) The staple and validate action failed! Error 68. While we could do a CURL POST to the https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup URL and get the expected result, the staple process would fail with the certificate trust error. Within our corporate network, all SSL traffic is decrypted for inspection, so we came to the conclusion there must be a decryption issue due to certificate pinning. The solution was to exclude the api.apple-cloudkit.com domain from this decryption process. I'm assuming the stapler process is strict in the SSL certificate validation check. Anyway hope this helps anyone else facing the same problem!