Hi Reno,
Its best to use a SSL X.509 certificate with all the domains primary and alternative used by your exchange setup.
It best to be a SSL SAN or Wildcard, from a Trusted Third-party or commercial CA. With self-signed and PKI-based certificates you have extra headache for importing to the client.
Use the following criteria when you select a CA to buy your certificates from:
-
Ensure the CA is trusted by the client software (operating systems, browsers, and mobile phones) that will connect to your Exchange servers.
-
Choose a CA that says it supports Unified Communications certificates for use with Exchange server.
-
Make sure that the CA supports the kinds of certificates that youll use. Consider using subject alternative name (SAN) certificates. Not all CAs support SAN certificates, and other CAs don't support as many host names as you might need.
-
Make sure that the license you buy for the certificates allows you to put the certificate on the number of servers that you intend to use. Some CAs only allow you to put a certificate on one server.
-
Compare certificate prices between CAs.
Digital certificates and SSL:
https://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx