Having worked with different exchange environment, every since the release of Exchange 2007 use of certificate has been made compulsory. It should be either self-signed or third party certificate, that should have the domain names. The best practice is to use SAN certificate.
The things that i learnt during the certificate renewal or installing a new certficate,
1. Always use exchange powershell script or exchange console to import the certificate.
Reason: i have seen few admins prefer to use certificate console to import the certificate. when you install using certificate console, it may not reflect in the exchange console when you want to assign the services.
2. Always generate a CSR from Exchagne powershell or IIS service
Reason : When you create a CSR there will be a thumbprint associated with it. So when you complete the certificate installation for the request, certificate that you install should match the thumbprint
If you install a certificate that doesnt match the thumbprint, then you might see the installation successful but it wont show in exchange powershell nor in Console. But you can find the certificate visible in certificate console on that local computer
3. Always use a SAN certificate
Reason : As you may know that there are exchange services like ews, auto-discover and so on, you need to have certificate for each services. If you have single domain certificate, then it would be expensive and add more complication to the exchange setup
