Avatar of Eric Velting
Eric Velting
Flag for United States of America asked on

Exchange Certificate Renewal not Being Accepted by iOS Mail App

This weekend we renewed our certificate in Exchange using our CA. Everything installed normally and Exchange ECP shows the renewed certificate as Valid. After testing Outlook, OWA and email on my android phone, I saw that everything was pulling the new certificate and mail was flowing on the devices normally.

The next day we started getting calls from iOS users stating they cannot access email on their iPhones or iPads. They are getting an error that says, "Cannot Verify Server Identity: The identity of "autodiscover.mydomain.com" cannot be verified by Mail." I jumped on the server to double check "autodiscover" is visible on the new certificate and it is. The new cert is an exact replica of the previous cert, which had worked fine.

Anybody have any thoughts on how to fix this for iOS users? People using the Outlook App on Apple devices are able to access email fine. It's only people using the built-in Mail app provided by Apple.

Troubleshooting I've tried:
Rebooting the Exchange server to reset IIS and other services
Restarting Apple device
Removing and re-adding Exchange account from Apple device
Temporarily turning off SSL on Apple device
Tested adding Exchange account to an Apple device that has never touched our Exchange server

Thank you for the help!

Avatar of undefined
Last Comment
Eric Velting

8/22/2022 - Mon
Shreedhar Ette

For iOS device:
If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.

further refer article:
Jeff Glover

Which CA are you using. If it is GoDaddy, you need to install the intermediates in your exchange server. If it is Symantec, it may not be trusted anymore. Apple is picky
Eric Velting

Thank you for the replies.

Shreedhar, in regards to your reply. It does not look like the newest versions of iOS have the "Enable full trust for root certificates" so we were unable to turn on trust for those certificates.

We have found that people on newer versions of iOS are the only ones having problems. It looks like newer versions of iOS play with certificates differently. We have also found that certain Chrome browsers do not like the new certificate either, which leads us to believe the problem is related to Certificate Transparency. We are going to take a look at our CA and possibly reissue and new certificate this weekend.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Jeff Glover

Make sure it is a SHA-2 (or 256) certificate.
Eric Velting

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.