Hi,
Yes,you need to install the trusted third-party certificate in exchange environment.
One problem with self-signed and PKI-based certificates is that, because the certificate is not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client
computers and devices.
Third-party or commercial certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted.
So I think the best solution is to use a third-party or commercial certificate in your environment.
Regards,
David