I figured out how to delete expired S/MIME certificates and possibly how to scale iOS S/MIME for future certs -- I can't tell if the solution is a bug or a feature.
To delete all trusted S/MIME (and TLS) certificates:
iOS>Settings>General>Reset>Reset All Settings
You'll have to do this whenever one of your contact's S/MIME certificates expires, which, if they're on an enterprise PKI, will happen every year. This greatly limits the usefulness of iOS S/MIME because it's a major PITA to renter all your settings and VPN configurations every time an S/MIME certificate expires.I am hoping the following solution works to avoid this problem with iOS:
- Do NOT follow Apple's advice in the support document "Send an encrypted message to someone outside your Exchange environment". Specifically, do NOT manually trust the certificate by hitting View Certificate>Install because (I believe) this will keep a trusted certificate in your keychain after this certificate expires and is replaced. iOS will not let you install an updated certificate with the same RFC 822 Name (email address), and will continue to encrypt using the same trusted-but-expired certificate. After hitting Install, you'll have to Reset All Settings to get rid of it (bad).
- Rather, View Certificate, then request a copy of the Root Certificate Authority (.cer) and, if necessary, the Intermediate CA (.cer) that signs the sender's cert. Install these .cer certificates in your System Profiles. In my experience, I need both the Root and Intermediate CAs for iOS.
- Now (I believe), S/MIME signing and encryption certs will be added to your keychain as trusted by the Root and Intermediate CAs. But expired certs will neither be trusted nor used, allowing the updated and trusted (via the root CA) cert to used correctly.
- This approach also works if you run your own OS X Server Mail service and cut your own trusted S/MIME certs.