We're going to be getting a Thawte SAN cert for UM, OWA, Outlook Anywhere, etc but should we assign the cert with the SMTP service or can we carry on using the self signed cert for SMTP? I know we'd have to renew it every year and understand how to do this. Thanks in advance, Graham

SMTP Certificates are used for encryption and authentication for Domain Security between partner organizations. Certificates are used for direct trust connections between Hub Transport servers and Edge Transport servers. Certificates are used between Hub Transport servers to encrypt the SMTP session. In Exchange 2007, direct trust is the authentication functionality for which the presence of the certificate in the Active Directory directory service or Active Directory Application Mode (ADAM) directory service validates the certificate. Active Directory is considered a trusted storage mechanism. Certificates are also used for opportunistic TLS sessions between organizations.http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/bb430753(EXCHG.80).aspx

Many thanks for your reply. Although I understand why certs are used and understand the implications of using self certs with some services I'm afraid I'm no nearer to understanding whether or not to carry on using the self cert for SMTP on the HUB servers (which also handle CAS hence the need for the Thawte cert) or assign SMTP to the Thawte cert.

Hi Graham, The self-signed certificate can't be used for inter-organization communication, if you would like to use a self-signed certificate, the remote side must trust this certificate. For internal use, it's not a problem. So I suggest you use the commercial certificate instead of self-signed certificate. Thanks, Elvis

Hi Elvis, I'm not sure I understand. For the CAS servers we will be using a CA cert for the services: IIS & UM. However for the HUB servers, after reading http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx , it would appear that for all internal SMTP traffic (including HUB to EDGE), a CA cert is not required. "All internal SMTP and UM traffic is secured by self-signed certificates that are installed when you run Exchange 2007 Server Setup. Although you should renew these certificates yearly by using the New-ExchangeCertificate cmdlet, you do not have to have a certificate issued by a public CA to run the default internal Exchange messaging components." & "Therefore, we recommend that you use self-signed certificates only for the following internal scenarios: SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol. SMTP sessions between Hub Transport servers and an Edge Transport server: A certificate is used for encryption of the STMP session and for direct trust authentication. EdgeSync synchronization between Edge Transport servers and Active Directory: A certificate is used to encrypt the LDAP communication session between the ADAM instance on the Edge Transport servers and the internal Active Directory servers after the Microsoft Exchange EdgeSync service has replicated data from Active Directory to the ADAM instance on the Edge Transport server. Unified Messaging communication: A certificate is used for encrypting Session Initiation Protocol (SIP) and Realtime Transport Protocol (RTP) traffic between UM servers and UM IP gateways, IP Private Branch eXchanges (PBXs), and computers that are running Office Communications Server 2007. The certificate is also used for encrypting SMTP traffic when voice mail or fax messages are submitted from UM servers to Hub Transport servers. A Client Access server that is accessed only by internal clients."

Hi, For internal SMTP traffic(including HUB to EDGE), certificate is must. You could use the self-signed certificate(which has been created when installing Exchange) as well as the commercial certificate. For internal SMTP traffic, a self0signed certificate is OK. Thanks, Elvis