Hi Julio,
Thank you for your question.
When configuring a hybrid deployment, many services make use of certificate, for example: Active Directory Federation Services (AD FS), Exchange federation, Exchange services, Existing Exchange servers, so we must use and configure certificates that we have
purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Exchange 2013 Mailbox and Client Access servers.
We will deploy more than one certificate in a hybrid environment, We recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another
certificate on your Exchange servers for other needed services or features. The on-premises federated trust configured as part of federated sharing in a hybrid deployment uses a self-signed certificate by default. Unless you have specific requirements, there's
no need to use a third-party certificate with the federation trust configured as part of a hybrid deployment.
We could refer to the following link:
https://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim