Q: How do I delete outdated S/MIME certificates in my iphone 5s

Me too, on iOS 8.4.1, and this has been a problem since iOS 7. Any solution? I'm going to file a bug report.

I figured out how to delete expired S/MIME certificates and possibly how to scale iOS S/MIME for future certs -- I can't tell if the solution is a bug or a feature.

To delete all trusted S/MIME (and TLS) certificates:

• iOS>Settings>General>Reset>Reset All Settings

You'll have to do this whenever one of your contact's S/MIME certificates expires, which, if they're on an enterprise PKI, will happen every year. This greatly limits the usefulness of iOS S/MIME because it's a major PITA to renter all your settings and VPN configurations every time an S/MIME certificate expires.

I am hoping the following solution works to avoid this problem with iOS:

• Do NOT follow Apple's advice in the support document "Send an encrypted message to someone outside your Exchange environment". Specifically, do NOT manually trust the certificate by hitting View Certificate>Install because (I believe) this will keep a trusted certificate in your keychain after this certificate expires and is replaced. iOS will not let you install an updated certificate with the same RFC 822 Name (email address), and will continue to encrypt using the same trusted-but-expired certificate. After hitting Install, you'll have to Reset All Settings to get rid of it (bad).
• 
• Rather, View Certificate, then request a copy of the Root Certificate Authority (.cer) and, if necessary, the Intermediate CA (.cer) that signs the sender's cert. Install these .cer certificates in your System Profiles. In my experience, I need both the Root and Intermediate CAs for iOS.
• Now (I believe), S/MIME signing and encryption certs will be added to your keychain as trusted by the Root and Intermediate CAs. But expired certs will neither be trusted nor used, allowing the updated and trusted (via the root CA) cert to used correctly.
• This approach also works if you run your own OS X Server Mail service and cut your own trusted S/MIME certs.

Nope -- this also fails to remove the old certificate. iOS's PKI handling appears to be fundamentally broken. Please file bug reports.

There is way to remove old S/MIME certificates IF you have old signed email from the person. Search back through your mail and examine the certificate until you find an old one with a red Remove button rather than a blue Install button. Remove the old cert and go forward and install the new cert. AFAIK, this is the only way to remove S/MIME certificates short of reinstalling a factory iOS.

You'll have do this separately for every contact on every iOS device every time a cert expires. This obviously scales horribly, and you can spend an hour or more searching through old email certs looking for the one to remove, especially if the PKI certs are updated at irregular periods. In one case, I had to use OS X Mail.app's better search capability to copy thousands of old emails into a temp mailbox just to be able to search for certs on iOS.

Please file bug reports.

Thankfully Apple resolved this issue in iOS 9.0.2. If you try to install a new S/MIME certificate over an existing installed cert with the same email, there is a new dialog box that asks if you want to replace the old cert. S/MIME on iOS works nicely now.

Update: The new dialog appears on iPads, but not iPhones, so this remains an open issue. Confirmed on iPad 2, 3, Air 2, and iPhone 5S and 6. Please file bug reports.

Me too.  Public keys added through the View Certificate/Install route could not be replaced just before they expired.  When it was hit the 'Install' button did not change to 'Remove' (in red).  eMails sent to that recipient continue to be encrypted using the old public key.  As we'd only played with S/MIME last year we'd both deleted that year's expired private key (General\Profiles) as a result we could not decrypt each others mails.  After much pain I gave up trying to fix the problem by removing the old keys.  Instead I've worked around it by re-installing our old private keys - after much restoring of stuff from backups.    

Roll on the long-waited fix for iPhone called for by essandes in his posts of 1-Oct-15.

I'm using an iPhone 5, 4s and iOS 9.0.2.

BTW, I see two bugs in what I described: 

Bug1: When it was hit the 'Install' button did not change to 'Remove' (in red). 

Bug2: eMails sent to that recipient continue to be encrypted using the old public key even after it had expired. 

The fact that public keys have to be removed manually for each and every user using an old email instead of simply being overwritten by the new public key is a real nuisance that just costed me a couple of hours. Handling of public keys must be improved urgently in iOS, otherwise S/MIME encryption is far from being usable on iOS devices in practice. It should at least be possible to overwrite old certificates by new ones, which is preferably carried out automatically if an email signed with a new certificate is received - as implemented in many other mail agents (e. g. Thunderbird).

Furthermore, in no way an outdated, i. e. invalid, public key should be used for encryption as presently done, least of all without even notifying the user!

Does anyone know if this is still an issue in iOS 9.3?

I'm having this issue in 9.2.1 and unfortunetly I don't have an old email for one of the certificates to remove that way.

It's still a problem for iOS 9.3 on iPhones.

Thats not good.

So, does resetting all settings remove certificates?

So, does resetting all settings remove certificates?

Unknown for iOS 9.3.

Older iOS required a complete wipe and reinstall!

Please file bug reports and report on your experience.

I reported the bug.

I ended up changing the date on my MBP to BEFORE my certificate expired.

Installed my old certificate and signed an email with it and sent it out to the other iPhones.

I now can view that certificate through the email on the other iPhones and click the "remove" button. That took care of my issue.

A pain but better than a wipe/reinstall.