We have several Exchange 2013 servers in the AD domain with a local CA installed and configured correctly. Every Exchange server has SSL certificates generated for it by the CA. Those certificates are attached to the services by using Set-ExchangeCertificate. However, during installation Exchange generates its own self-signed certificates and attaches them to the same services.
The final picture can look like this (Mailbox server role):
[PS] C:\temp>Get-ExchangeCertificate
1BBD5EE99EF8FA6C17977DAF9A40D611292482D9 IP..S.. CN=SERVER.org.com
50C52CB800E8D75E2972EB4B31E9D6E3125136F5 IP.WS.. CN=SERVER.org.com, O=Org, C=Com
CF10F109E60D735F16ED7300ACF3C00715458C71 ....S.. CN=Microsoft Exchange Server Auth Certificate
B1129A00CDCA7A588F7C90DB67E56248821AE879 IP..S.. CN=SERVER
33BAA0348B8C0BC6A1F3E1951220CDA9DB29F649 ....... CN=WMSvc-SERVER
As we can see, all the certificates except the last one are attached to the SMTP service, for example. Three of them are attached to the IMAP service.
The question is, how Exchange chooses one of the certificates attached to the same service? Is it safe to remove one of multiple certificates (the self-signed one, in particular) on the run?
Evgeniy Lotosh
MCSE: Server infractructire, MCSE: Messaging