When we install Exchange Server there are some certificate install by default on the Exchange Server.
So lets talk about what are they and for what they are used.
below i have a screen attached from one of my newly installed Exchange Server 2016, i can see first Cert is assigned with Services as SMTP and then next one with IMAP, POP, IIS and SMTP and they both are valid for 5 years.
3rd one does not have any service assigned and is valid for 10 years.
So lets Talk about what each type of certificate.
This Exchange self-signed certificate has the following capabilities:
- The certificate is automatically trusted by all other Exchange servers in the organization. This includes Edge Transport servers that are subscribed to the Exchange organization.
- The certificate is automatically enabled for all Exchange services except Unified Messaging, and is used to encrypt internal communication between Exchange servers, Exchange services on the same computer, and client connections that are proxied from the Client Access services to the backend services on Mailbox servers.
- The certificate is automatically enabled for inbound connections from external SMTP messaging servers, and outbound connections to external SMTP messaging servers. This default configuration allows Exchange to provide opportunistic TLS on all inbound and outbound SMTP connections. Exchange attempts to encrypt the SMTP session with an external messaging server, but if the external server doesn't support TLS encryption, the session is unencrypted.
The certificate doesn't provide encrypted communication with internal or external clients. Clients and servers don't trust the Exchange self-signed certificate, because the certificate isn't defined in their trusted root certification stores.
Microsoft Exchange Server Auth Certificate
This Exchange self-signed certificate is used for server-to-server authentication and integration by using OAuth. For more information, seeIntegration with SharePoint and Lync.
This Windows self-signed certificate is used by the Web Management service in IIS to enable remote management of the web server and its associated web sites and applications.
If you remove this certificate, the Web Management service will fail to start if no valid certificate is selected. Having the service in this state can prevent you from installing Exchange updates, or uninstalling Exchange from the server. For instructions on how to correct this issue, see Event ID 1007 — IIS Web Management Service Authentication