Question : Problem: Activesync to iphone / WinMo still working after SSL certificate revokation and renewal..

So i've got activesync working to iphones and winmo clients in testing - all
is good, however when I come to remove the cert from IIS on the exch box (2003), revoke the cert at the CA level and then create a new cert / renew at IIS again, all cleints can still connect without having to renew their installed certificates.

Surely this is wrong? they should fail, right, as I havent re-imported the new cert into them..

Do they continue to work becuase activesync seems to only work with a ROOT
level cert installed on the device ie a cert that says 'anything from this
domain is good'? certainly when i look at the certs on my winmo device it appears as a  ROOT, and when i delete this from the device and create an 'intermediate' certificate in IIS - something which appears to only provide validation for the particular server in question, and then import into device, activesync no longer works..

Someone point me in the right direction please? - im at the limits of my knowledge with this, and I cant beleive that MS would design the paradigm that effectively only activesync can work with a non-revokable certificate. Unless they designed it such that only user / client certificates can be revoked to disable access - a feature that apples implementation doesnt support..


Cheers

Alastair

Answer : Problem: Activesync to iphone / WinMo still working after SSL certificate revokation and renewal..

The latest version of iPhone firmware does support client certificates...

I think there is some confusion about what a server certificate will do... All the server certificate will do is identify active sync as being a trusted source to the phone.

Before you removethe certificate you will ahve choosen to trust it on the iPhone, this tells the iPhone that anything coming from your CA is trustable, (your CA is then added the trsuted root of the phone. When you are removing the certificate active sync must be falling back on to one that has the same root, therefore the iPhone trusts it straight.

Main idea: A server certificate is identification of the server not the client, when you remove any certificate from active sync it will fall back to another one to identify itself, in thsio case this is still trusted by the iPhone. That said even if it wasn't then trsuted all you would ahve to do is click "Accept" once and that cert root would become trusted...

I hope I am making sense...