Starting with Exchange Server 2007, Microsoft added protection for Exchange data paths to Client Access Servers using SSL. SMTP communication between transport servers is also protected using TLS. To ensure this protection is enabled out-of-the-box, Exchange setup creates self-signed certificates and enables SSL and TLS by default. For external communication, procure certificates signed by a Certification Authority trusted by clients."
In Exchange 2010, new certificate management interfaces in Exchange Management Console (EMC) is introduce. Using new certificate wizards in EMC, you can:
Generate certificate signing request (CSR) to request a certificate signed by CA; Complete pending certificate request when you receive certificate signed by CA; Assign Exchange services to certificate; Renew certificates; Export certificate with its private key (private key must be marked as exportable when creating certificate, default for certificate signing requests generated by using EMC); Import certificates with private key; View certificate properties.