HI
When you install Exchange Server 2013 it is pre-configured with default namespaces matching the servers fully-qualified domain name (FQDN)
Create a new certificate using Exchange 2013 server and with SAN of existing OWA URL (e.g. Mail.domain.com), autodiscovery URL (e.g. Autodiscovery.domain.com) and legacy URL (eg. Legacy.domain.com) to point it to the legacy exchange server. Include additional
URLs, if required.
Prepare to configure internet firewall to point all OWA (mail.domain.com) web Internet traffic to the load balancer, if you have multiple Exchange 2013 CAS servers, else you can directly point to Exchange 2013, if you have one Exchange server. This is important
because Exchange 2013 CAS server has a point of contact for all OWA requests, from both internal and external.
Add legacy.domain.com DNS entry for both; internally and externally to point out to the legacy Exchange 2010 CAS servers and also open the internet firewall ports to point legacy.domain.com to exchange 2010 CAS servers.
If you have TMG/UAG server in the DMZ, create an additional OWA rule for legacy.domain.com to point to the Exchange 2010 server.