Exchange Certificate Renewal not Being Accepted by iOS Mail App

NPBIT
NPBIT used Ask the Experts™
on
This weekend we renewed our certificate in Exchange using our CA. Everything installed normally and Exchange ECP shows the renewed certificate as Valid. After testing Outlook, OWA and email on my android phone, I saw that everything was pulling the new certificate and mail was flowing on the devices normally.

The next day we started getting calls from iOS users stating they cannot access email on their iPhones or iPads. They are getting an error that says, "Cannot Verify Server Identity: The identity of "autodiscover.mydomain.com" cannot be verified by Mail." I jumped on the server to double check "autodiscover" is visible on the new certificate and it is. The new cert is an exact replica of the previous cert, which had worked fine.

Anybody have any thoughts on how to fix this for iOS users? People using the Outlook App on Apple devices are able to access email fine. It's only people using the built-in Mail app provided by Apple.

Troubleshooting I've tried:
Rebooting the Exchange server to reset IIS and other services
Restarting Apple device
Removing and re-adding Exchange account from Apple device
Temporarily turning off SSL on Apple device
Tested adding Exchange account to an Apple device that has never touched our Exchange server

Thank you for the help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shreedhar EtteTechnical Manager
Top Expert 2010

Commented:
For iOS device:
If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.

further refer article:
https://support.apple.com/en-in/HT204477
Jeff GloverSr. Systems Administrator

Commented:
Which CA are you using. If it is GoDaddy, you need to install the intermediates in your exchange server. If it is Symantec, it may not be trusted anymore. Apple is picky

Author

Commented:
Thank you for the replies.

Shreedhar, in regards to your reply. It does not look like the newest versions of iOS have the "Enable full trust for root certificates" so we were unable to turn on trust for those certificates.

We have found that people on newer versions of iOS are the only ones having problems. It looks like newer versions of iOS play with certificates differently. We have also found that certain Chrome browsers do not like the new certificate either, which leads us to believe the problem is related to Certificate Transparency. We are going to take a look at our CA and possibly reissue and new certificate this weekend.
Jeff GloverSr. Systems Administrator

Commented:
Make sure it is a SHA-2 (or 256) certificate.
Commented:
Hello,
We were able to replace the certificate last weekend. The new certificate, with Certificate Transparency, fixed all the problems we were having. It's been about a week and we haven't seen or heard reports of phones or browsers not connecting to Exchange.

Thank you for the help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial