iPadOS 13 Mail Certificate "Cannot Verify Server Identity"

I run a private IMAP server that uses a certificate signed by a private Certificate Authority (I created the CA in Keychain.app on my Mac and I then created the IMAP server's cert, signed by the private CA taken from Keychain.app).


A long time ago, iOS Mail app made it easy to get my mail by first warning about the cert, but then easily allowing me to trust the cert with a simple click.

On iOS 12.x, things got harder, but I was able to install the CA as a Profile, then go to Settings -> General -> About -> Certificate Trust Settings to mark the CA as trusted, and that allowed the Mail app to trust the IMAP server's certificate (via the private CA via the trusted profile).


I already had the CA's profile installed and trusted before upgrading my iPad Pro to iPadOS 13.0 (beta).

The upgrade to iPadOS 13 removed the CA's profile, so I re-installed the CA's profile.

The CA showed up under Settings -> General -> About -> Certificate Trust Settings as already trusted.


Nonetheless, attempting to read e-mail from my private IMAP server results in "Cannot Verify Server Identity" as if the server's cert is not being properly matched to the CA's profile. :-(


I am now faced with a pop-up, every few seconds stating, "Cannot Verify Server Identity" in the middle of anything I am doing on the iPad. :-(((((


Any solutions?

Accepted Reply

YAY! Workaround seems to be to delete and recreate the mail account after installing the private certificate authority! =D =D =D


Finally I can enjoy testing out the more interesting iPadOS 13.0 (beta) features, other than just the one of always hitting the "cancel" button on the "Cannot Verify Server Identity" prompt, every few seconds. ;-)

Replies

The longer history is that the certificate expired last year and I couldn't get iOS 12 to accept a new CA + Server Cert, which I generated using certutil on the platform that runs the IMAP service (not a Mac).


That is what led me to use a Mac on Sierra (at the time) to act as the CA. The fact that the "generic" certutil CA didn't work, but the one generated on the Mac did work, lead me to conclude that Apple's Mail app is picky about the contents of the CA + Server Cert.

But anyway, everything worked with the CA + Server Cert generated on macOS Sierra, so that's the CA that I have been using, since last year.


Just now, I generated an entirely new CA and Server Cert on a Mac running Mojave.

The new CA is definitely being referenced by the Mail app on the iPad Pro (iPadOS 13.0 beta), because I can see in the details that the CA expiry date is the later one that I just set.

However, the new CA does not solve the problem of "Cannot Verify Server Identity" popping up all the time.


I used the new CA on my iPhone and another iPad and have proven that the brand new one, generated on Mojave, is fine for iOS 12.


My thought process was, maybe Apple changed something in what they're looking for in the certificate between those generated on Sierra and Mojave. I guess not.


I don't have the Catalina beta installed, yet to see if generating a CA there would help. :-/


I am hesitant to fiddle too much more without some actual insight from someone who might know, "Oh, yeah, Apple changed ABC, so now you have to do XYZ." (Or even, "It's a bug...")

YAY! Workaround seems to be to delete and recreate the mail account after installing the private certificate authority! =D =D =D


Finally I can enjoy testing out the more interesting iPadOS 13.0 (beta) features, other than just the one of always hitting the "cancel" button on the "Cannot Verify Server Identity" prompt, every few seconds. ;-)

How does install Private certificate authority?

First, get the certificate onto your iPhone or iPad. Airdrop the .crt file, or email it to yourself. Then open it on the device, and new in iOS 13 you get a notification that you have to enable it in a separate step from Settings.


In Settings, find the certificate (it showed in a separate temporary category at the top of Settings, but should also be under Settings->General->Profiles) and choose to install it. There are several accept steps. Check at each step that you're installing what you think you are.


Finally, go back to Settings->General->About->Certificate Trust Settings, and enable the self-signed Root cerficate in that panel. See https://support.apple.com/en-nz/HT204477 for more details.


As with the OP, I found that this only worked for newly-added mail accounts. I had to remove and re-add my server to get it to accept the self-signed root.