So i've got activesync working to iphones and winmo clients in testing - all
is good, however when I come to remove the cert from IIS on the exch box (2003), revoke the cert at the CA level and then create a new cert / renew at IIS again, all cleints can still connect without having to renew their installed certificates.
Surely this is wrong? they should fail, right, as I havent re-imported the new cert into them..
Do they continue to work becuase activesync seems to only work with a ROOT
level cert installed on the device ie a cert that says 'anything from this
domain is good'? certainly when i look at the certs on my winmo device it appears as a ROOT, and when i delete this from the device and create an 'intermediate' certificate in IIS - something which appears to only provide validation for the particular server in question, and then import into device, activesync no longer works..
Someone point me in the right direction please? - im at the limits of my knowledge with this, and I cant beleive that MS would design the paradigm that effectively only activesync can work with a non-revokable certificate. Unless they designed it such that only user / client certificates can be revoked to disable access - a feature that apples implementation doesnt support..