Can not remove SSL certificate on iPhone 6 - iOS10.2

Posted on 2016-10-19
Last Modified: 2016-10-31
Only one iPhone is having this issue.
We manage access to our email and internal site via SSL certificates.
These are installed through Airwatch MDM profiles.

Usually, if I remove an iPhone from Airwatch, it will delete all certificates and profiles on that device.
However, for this phone, it appears that all certificates are removed (Settings -> General -> Profiles does not exist) but the phone can still access the internal site.

If I clear out Safari's history and website data and I then try to access the site, it will prompt for the certificate by name ( and selecting it opens the site.

List of what I've tried to remove this certificate:
Go to Settings -> General -> Profiles (this option does not exist)
Clear out History and Website Data for Safari
Reset Network Settings
Reset All Settings

An annoyance caused by this, is that when I install the Email profile which contains the certificate from Airwatch, the device now has two of the same certificate. So whenever the user attempts accessing the site, he is prompted to select which of the two he wants.
This prompt also appears if the site has been unused for about 5 - 10 minutes.

Any ideas on how I could either:
1. Remove the duplicate certificate stored on the device or
2. Force Safari to use one of the certificates without prompting the user
Question by:SeeDk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

by:Steven Wallace
ID: 41851357
What iOS version is the iPhone?

Author Comment

ID: 41851901
It is version 10.0.2
LVL 37

Expert Comment

ID: 41859640
I would guess that the phone has had the certificate deployed by some other means.

I would probably wipe the phone and re provision from scratch, not restoring a backup, this would however dump text messages etc, which may not be desired.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 63

Expert Comment

ID: 41859889
The certificate should gone if the profiles going with is removed. I am suspecting if the ssl certificate is tied to no profile hence removal of profile will not work in such cases. So I am thinking if this manual removal is as follows

-Delete the SSL certificate by going to Settings → General → Reset → Network Settings.

But for profile based removal, the manual mean is below on top of the MDM command.

-On your iPhone, click on the "Settings" icon in the main menu screen. Select "General" from the list of options that appear in the drop-down menu.

-Select "Profiles" from the list of options that appear and a list of all the certificate on your iPhone will appear on screen.

-Scroll through the list of certificates until you come to the one you would like to remove from your iPhone and click the "Remove" button on the screen. The certificate will then be removed. Repeat the process for any other certificates you would like to remove.

Another check is maybe try SSL detective to see all the certificate and confirm if there are indeed duplicates

Author Comment

ID: 41860201
Not sure what other means it could be unless someone tampered with his phone. Yeah, I considered deleting everything as a last resort. This is very undesirable though, since even restoring from a backup can't be done.

It is definitely tied to a profile. I can see the profile and attached certificate in the Airwatch admin console.
I also see it in Settings -> General -> Profiles when the profile is installed on the phone.
However, when the profile is removed, Settings-> General -> Profiles does not exist anymore.
It was also not showing in SSL detective when the profile is removed. The device can still access the internal site though.
On a different iPhone with the same iOS, when I remove the profile, the internal site is no longer accessible because the certificate is completely removed as expected.
LVL 63

Expert Comment

ID: 41860264
It looks like the device has some caching at the network. I suggested in last post on below. But note that this also resets the rest of your network settings. Maybe better to move forward in this and if it still recur then better to take the last resort to reset device.

Delete the SSL certificate by going to Settings → General → Reset → Network Settings.

Author Comment

ID: 41860295
I already tried both
Reset Network Settings
Reset All Settings

and the certificate still remains...somewhere.
LVL 63

Expert Comment

ID: 41860524
Suggest to revoke existing certificate and push down another new certificate instead. If the login is still possible (given some time for revoke cert to be published) then attempt to delete will not make any difference.

Author Comment

ID: 41860832
When I revoke the certificate, it only breaks access to the email (since the email profile uses the same certificate as the site).
But the cached certificate still exists, since the phone can still access the site.

It seems I've completely lost access to the cached certificate from Airwatch.
LVL 63

Expert Comment

ID: 41861437
If another new profile (for another user) is created for this device, and re-established the email connection and remove the profile,  will the connection be disallowed as desired? If it is the same, I do suggest rebuild this device instead since even AirWatch unenroll of the device did not remove the certificate as expected.

Author Comment

ID: 41866965
It is the same. Fortunately, the user will be getting a new phone soon so we will just wipe the device after that if no other solution is found.
LVL 63

Accepted Solution

btan earned 500 total points
ID: 41867053
Thanks for sharing, seems like the time to find root cause is not worthwhile and rebuild may be still the way eventually if the device is going to be reuse.

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Way to decrease size of apk file 9 132
File upload fails with SSL Certificate 3 57
Macmini and Ipads 2 61
Disable SSL 3 6 63
Steve Jobs once said that Blu-ray is "a bag of hurt". As Macs users well known, things haven’t settled down (at least not from Apple’s perspective). Several years after that comment, Mac OS X still doesn’t support Blu-ray playback, nor has any Mac s…
Is your phone running out of space to hold pictures?  This article will show you quick tips on how to solve this problem.
Users will learn how to set proper sequence settings, scale images, paste attributes, add transitions, fades, and music. Open up Final Cut Pro 7 and Create a new Project: Set the Sequence Settings. a) Click File > Easy Setup > Format > Apple ProRe…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question