Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

iOS 13 Self Signed SSL certificate updates in Mail

As everybody should know by now, the Mail app in iOS 13 will no longer support legacy SSL certificates using SHA1. Therefore old time admins like me were awoken from our deep slumber to regenerate SSL certificates on legacy systems - like those running OS X Server 10.5. Yes, "5"; not "15".


I have generated new SHA256 certs with a RSA key of 2048bits with a life of 825 days. I'm not sure if the ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID is implemented correctly, but the OID shows up when I read the certificate.


I'm having problems with iPhones updated to iOS 13.0 not being able to accept the newly generated certificates. The Mail app tells me, "Cannot Verify Server Identity" and gives me the choice of Cancel, Details, or Continue. In iOS 12.x, I could tap "Details" then a detail screen would appear with a "Trust" link on the top right corner. Alas, tapping on the "Details" has the no effect. It will not open a detail screen.


I'm wondering if this is an issue with iOS13 or if I'm missing something on the server side. What kind of request is iOS Mail sending the server to verify the SSL certificate and how does the server need to reply?

Servers/Datacom

Posted on Sep 22, 2019 6:52 PM

Reply
Question marked as Best reply

Posted on Jan 7, 2020 12:22 PM

I can now confirm that self signed certificates can be manipulated to include Key Usage ( 2.5.29.15 ), Extended Key Usage ( 2.5.29.37 ), and Subject Alternative Name ( 2.5.29.17 ) and iOS 12~13 and OS X 10.12~10.14 will accept it. The only hiccup will be your iOS device. It must forget ALL CERTIFICATES WITH THE OLD DATA. That is, if you have a SSL connection to www.example.com for imap, smtp, pop, calendars, contacts, notes; all of those services must forget the old certificate to www.example.com. You may end up deleting every account on your iPhone that connects to example.com and start over. This was a big hassle for my admins' iPhones with dozens of e-mail and calDAV accounts. I was going crazy looking for the last service that still connected using the old SSL cert. It was an SMTP setting under a virtual domain mail.foobar.com -> mail.example.com that I no longer used.


Good luck!

11 replies

There are no replies.

iOS 13 Self Signed SSL certificate updates in Mail

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.