Apple, ActiveSync and StartCom / StartSSL / WoSign

I am currently receiving a lot of inquiries about ActiveSync and Apple devices. Apple devices do not want to establish an ActiveSync connection with Exchange using the integrated Mail app.

So if you find your environment in the following description, you will run into the problem described:

• Apple devices with the integrated Mail app (iPhone, iPad)
• The SSL certificate comes from StartCom / StartSSL or WoSign
• The Remote Connectivity Analyzer does not report any problems
• Active Sync does not work on Apple devices

I had published various articles on free certificates, including StartSSL and WoSign:

• Free SAN certificates also with StartSSL
• Free SAN certificates with a 3-year term

However, Apple has withdrawn its trust from these two certification authorities and removed the root certificates. Apple writes the following:

The WoSign certification authority encountered several control errors in its certificate issuance procedures for the WoSign CA Free SSL Certificate G2 intermediate certification authority. Although no WoSign root certificate is listed in the list of root certificates trusted by Apple, this intermediate certification authority used countersigned certificate relationships with StartCom and Comodo to be trusted for Apple products.

In view of these findings, appropriate measures were taken to protect users with a security update. The intermediate certification authority WoSign CA Free SSL Certificate G2 is no longer considered trustworthy by Apple products.

Source: https://support.apple.com/de-de/HT204132

In plain language, this means that WoSign and StartCom/StartSSL have messed up and are no longer considered trustworthy. The Apple Mail app no longer establishes a connection. Since December 2016, Apple no longer accepts any certificates from the two CAs:

In einem anstehenden Sicherheitsupdate werden weitere entsprechende Maßnahmen zum Schutz der Nutzer ergriffen. Apple-Produkte werden Zertifikate von WoSign- und StartCom-Root-Zertifizierungsinstanzen (CA) sperren, sofern die Datumsangabe für „Not Before“ (Nicht vor) 1. Dezember 2016 00:00:00 GMT/UTC lautet oder danach liegt.

Source: https://support.apple.com/de-de/HT204132

In plain language: All WoSign and StartCom certificates after 01.12.2016 are invalid on Apple devices.

All those affected should therefore replace the certificate. Let's Encrypt also offers free certificates, but only with a 3-month validity period, which makes frequent replacement necessary.

Exchange 2016: Free certificates from Let's Encrypt

I was lucky again, but I will also be replacing my certificate: