iPhone 7 not connecting to SBS2011 Exchange 2010 after Self-Issued cert was reissued/renewed

I have a client with SBS2011 with Exchange 2010.  They have 6 users with iPhone 7’s.   All the phones were able to connect with their Exchange accounts and send/receive e-mail until the server self-issued cert was reissued/renewed.  Now 3 of them are not able to send or receive.   In an attempt to get the owner’s working, I used Safari to get the new cert by going to the domain https (didn’t work), deleted the Exchange account and re-created the account (also didn’t work).   I keep getting an error (Cannot Verify Server Identity : The identity of “server.mydomain.com” cannot be verified by Exchange.) – only two choices are presented “Details” and “Cancel”, there is no third choice to continue anyway.

Do I need to download the certificate to the phone or will it just come down by itself?   Or what is the correct procedure to get the cert on the phone?

I have tried several times to enter and reenter but can’t seem to get this to work.   I have tried googleing to find information but haven’t been successful so far, so I decided to go the “Experts”.   On the owner’s account, I also deleted the phone partnership in the Exchange Management Console.   Also the internal domain has a .local extension so I can’t use a third party trusted certificate (thanks Microsoft).

Below is all the information for this account with their domain redacted as “mydomain”.
Please help me: what is the correct settings for these iphones?

Redacted Information:
Full server computer name: SERVER.mydomain.local
Internal domain: mydomain.local
Server: server.mydomain.com

PWD: <password>

Issuer: mydomain-SERVER-CA
Subject: server.mydomain.com
Subject Alternative Name:
DNS Name=mydomain.com
DNS Name=server.mydomain.com
DNS Name=SERVER.mydomain.local
Valid from: ‎Sunday, ‎February ‎18, ‎2018
Valid to: ‎Tuesday, ‎February ‎18, ‎2020
Randall SeilerOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dmitri FarafontovLinux Systems AdminCommented:
Are you using a self-signed certificate? Or have you purchased it from somewhere like Entrust/Digicert?
If you press on Details, you will likely find out what exactly is wrong with your SSL certificate.
Randall SeilerOwnerAuthor Commented:
It is a self-signed cert; the internal domain is .local, so I can't buy a purchased cert.
Dmitri FarafontovLinux Systems AdminCommented:
If the cert is self-signed you have to manually add it to each iPhone as it does not trust it by default (and that is a good thing):

1) Export CRT in your browser and email to yourself and open it on iPhone

2) You might have to go to Settings and manually have it show up and set it to trusted
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Randall SeilerOwnerAuthor Commented:
Thanks Dmitri, I will make note of your suggestions and read over those sites.
Dmitri FarafontovLinux Systems AdminCommented:
3) Once you have everything setup correctly you should have something like this (where each custom self-signed cert is installed and listed)

Let me know if you get stuck on something.
Randall SeilerOwnerAuthor Commented:
What is the best way to get the correct certificate?
The certificate in [https:/server.mydomain.com/public/downloads] is different than the one that is in a browser.
I can go to the cert authority on the SBS2011 and export the cert that matches the one that shows up in a browser, is that a good way to get it for download to a phone?

Issued to: mydomain-SERVER-CA
Issued by: mydomain-SERVER-CA
Valid from 2/18/2018 to 2/18/2023

exported from cert authority & in a browser:
Issued to: server.mydomain.com
Issued by: mydomain-SERVER-CA
Valid from 2/18/2018 to 2/18/2020
Dmitri FarafontovLinux Systems AdminCommented:
Yeah that sounds like a plan. Although I am confused why a different certificate is being served..
Randall SeilerOwnerAuthor Commented:
It's a Microsoft conspiracy to give us all migraine headaches!
Randall SeilerOwnerAuthor Commented:
Should I just install both of them?
Dmitri FarafontovLinux Systems AdminCommented:
Yeah lets try that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Randall SeilerOwnerAuthor Commented:
Thanks Dmitri for all your help.

Here is what worked for me:
On iPhone that was connecting and e-mail was working, but the SBS2011 self-signed certificate was reset or renewed, I just download and install the new cert. and the phone just start working.

On the iPhone that was new, fresh setup, I download the certificate and then proceed to setting up the Exchange account on the phone.

To get the RWA certificate:
* With a browser, go to the secure site [i.e. https://server.mydomain.com]
* Login to Remote Web Access
* Navigate to Shared Folders -> Public -> Downloads -> Certificate Distribution Package
* Download and install the SBSCertificate.cer

Note: Make sure the user name is entered EXACTLY as it is in the AD.
Example: User = Harry Smith, UID in AD = HSmith, Username entered in iPhone = HSmith
Dmitri FarafontovLinux Systems AdminCommented:
Glad you got it sorted! The idea is to always get the right CRT imported.
Randall SeilerOwnerAuthor Commented:
Dmitri - thanks for you help.  

When I get some time, I would like to put together a tutorial with screen shots and full instructions for renewing the certs and how to get them out of the server.   It doesn't seem all that complicated, but finding correct information has been a task.
Dmitri FarafontovLinux Systems AdminCommented:
Great! Thanks for FYI.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.