Exchange Certificate Renewal not Being Accepted by iOS Mail App

This weekend we renewed our certificate in Exchange using our CA. Everything installed normally and Exchange ECP shows the renewed certificate as Valid. After testing Outlook, OWA and email on my android phone, I saw that everything was pulling the new certificate and mail was flowing on the devices normally.

The next day we started getting calls from iOS users stating they cannot access email on their iPhones or iPads. They are getting an error that says, "Cannot Verify Server Identity: The identity of "autodiscover.mydomain.com" cannot be verified by Mail." I jumped on the server to double check "autodiscover" is visible on the new certificate and it is. The new cert is an exact replica of the previous cert, which had worked fine.

Anybody have any thoughts on how to fix this for iOS users? People using the Outlook App on Apple devices are able to access email fine. It's only people using the built-in Mail app provided by Apple.

Troubleshooting I've tried:
Rebooting the Exchange server to reset IIS and other services
Restarting Apple device
Removing and re-adding Exchange account from Apple device
Temporarily turning off SSL on Apple device
Tested adding Exchange account to an Apple device that has never touched our Exchange server

Thank you for the help!
NPBITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteTechnical ManagerCommented:
For iOS device:
If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.

further refer article:
https://support.apple.com/en-in/HT204477
Jeff GloverSr. Systems AdministratorCommented:
Which CA are you using. If it is GoDaddy, you need to install the intermediates in your exchange server. If it is Symantec, it may not be trusted anymore. Apple is picky
NPBITAuthor Commented:
Thank you for the replies.

Shreedhar, in regards to your reply. It does not look like the newest versions of iOS have the "Enable full trust for root certificates" so we were unable to turn on trust for those certificates.

We have found that people on newer versions of iOS are the only ones having problems. It looks like newer versions of iOS play with certificates differently. We have also found that certain Chrome browsers do not like the new certificate either, which leads us to believe the problem is related to Certificate Transparency. We are going to take a look at our CA and possibly reissue and new certificate this weekend.
Jeff GloverSr. Systems AdministratorCommented:
Make sure it is a SHA-2 (or 256) certificate.
NPBITAuthor Commented:
Hello,
We were able to replace the certificate last weekend. The new certificate, with Certificate Transparency, fixed all the problems we were having. It's been about a week and we haven't seen or heard reports of phones or browsers not connecting to Exchange.

Thank you for the help!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iOS

From novice to tech pro — start learning today.