SMIME certificate cannot be removed

I figured out how to delete expired S/MIME certificates and possibly how to scale iOS S/MIME for future certs -- I can't tell if the solution is a bug or a feature.

To delete all trusted S/MIME (and TLS) certificates:

iOS>Settings>General>Reset>Reset All Settings

You'll have to do this whenever one of your contact's S/MIME certificates expires, which, if they're on an enterprise PKI, will happen every year. This greatly limits the usefulness of iOS S/MIME because it's a major PITA to renter all your settings and VPN configurations every time an S/MIME certificate expires.I am hoping the following solution works to avoid this problem with iOS:

• Do NOT follow Apple's advice in the support document "Send an encrypted message to someone outside your Exchange environment". Specifically, do NOT manually trust the certificate by hitting View Certificate>Install because (I believe) this will keep a trusted certificate in your keychain after this certificate expires and is replaced. iOS will not let you install an updated certificate with the same RFC 822 Name (email address), and will continue to encrypt using the same trusted-but-expired certificate. After hitting Install, you'll have to Reset All Settings to get rid of it (bad).
• 
• Rather, View Certificate, then request a copy of the Root Certificate Authority (.cer) and, if necessary, the Intermediate CA (.cer) that signs the sender's cert. Install these .cer certificates in your System Profiles. In my experience, I need both the Root and Intermediate CAs for iOS.
• Now (I believe), S/MIME signing and encryption certs will be added to your keychain as trusted by the Root and Intermediate CAs. But expired certs will neither be trusted nor used, allowing the updated and trusted (via the root CA) cert to used correctly.
• This approach also works if you run your own OS X Server Mail service and cut your own trusted S/MIME certs.

hi Frerin, hi all, one year after your post I have the same problem under iOS 8.2. It seems nothing has changed since then. Or did you find a solution meanwhile? This Apple article Use S/MIME to send encrypted messages in an Exchange environment in iOS - Apple Support describes more in section "Send....outside exchange environment" but exactly sub-section 4. "The Install button changes color to red and reads Remove" does not work on my devices (iPhone 6, iPad mini Retina). The color remains blue and still reads install. My email partner has revoked his s7mime certificate which causes now irritation. My devices still use the revoked certificate for encryption even I have received and installed a new, trusted certificate from this partner.

But my partner of course cannot open my mails encrypted still with the revoked certificate. Any advice would be highly appreciated. Sincerely, Claus

Nope -- this also fails to remove the old certificate. iOS's PKI handling appears to be fundamentally broken. Please file bug reports.

There is way to remove old S/MIME certificates IF you have old signed email from the person. Search back through your mail and examine the certificate until you find an old one with a red Remove button rather than a blue Install button. Remove the old cert and go forward and install the new cert. AFAIK, this is the only way to remove S/MIME certificates short of reinstalling a factory iOS.

You'll have do this separately for every contact on every iOS device every time a cert expires. This obviously scales horribly, and you can spend an hour or more searching through old email certs looking for the one to remove, especially if the PKI certs are updated at irregular periods. In one case, I had to use OS X Mail.app's better search capability to copy thousands of old emails into a temp mailbox just to be able to search for certs on iOS.

Please file bug reports.

Thankfully Apple resolved this issue in iOS 9.0.2. If you try to install a new S/MIME certificate over an existing installed cert with the same email, there is a new dialog box that asks if you want to replace the old cert. S/MIME on iOS works nicely now.

Update: The new dialog appears on iPads, but not iPhones, so this remains an open issue. Confirmed on iPad 2, 3, Air 2, and iPhone 5S and 6. Please file bug reports.

Cannot replace the old S/MIME cert with a new one on my iphone6+!!!

I Have the solution looks like a glitch in IOS I have an IPhone 6S could not get solution even thru apple tech support here it is, go to Settings/ Display Brightness under Display Zoom select standard. Then try to install the certificate again but this time hold the iPhone horizontally before you press the install button then you'll be asked the magic question would you like to replace the old certificate. That's it the phone must be in standard view and it must be held horizontally.

Sorry, this one didn't work for me. Perhaps a dependency on PKI specifics.

FD7470 wrote:

I Have the solution looks like a glitch in IOS I have an IPhone 6S could not get solution even thru apple tech support here it is, go to Settings/ Display Brightness under Display Zoom select standard. Then try to install the certificate again but this time hold the iPhone horizontally before you press the install button then you'll be asked the magic question would you like to replace the old certificate. That's it the phone must be in standard view and it must be held horizontally.

MY phones have the latest updates from Apple IOS 9.3.1 make sure you have your screen display view in standard mode not zoom and hold you phone horizontally the screen should rotate and then press the install button It worked for me on 4 of my IPhone 6S just last night

THIS WAS THE SOLUTION!

Wow....