MS Exchange (MSX) has been dependant upon the correct use of x.509 certificates since version 2010. They are used for internal SMTP traffic flow, external SMTP e-mail and, of course IIS.
Most users are now (2023) probably using Let's Encrypt free certificates which need renewing every 90 days. Various tools exist to manage this process, some can be fully automated whilst others require some manual intervention. In any event, one of the first tasks when starting to set this up, is to determine what certificates the system is using and what is it using them for?
PowerShell (PS) is your friend, although other methods exist.
Open an elevated PS shell on the server or on a workstation which has the ability to PSRemote into the server and run:
Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, subject, CertificateDomains | where {$_.Services -match "SMTP"} | fl
This will query which certificates are being used for SMTP traffic - both internal and external.
A typical response will look like this:
Thumbprint : 612D813416BEA4D6754214C529E041CDACDF3A8D
Services : IMAP, POP, IIS, SMTP
NotAfter : 10/08/2023 12:43:24
Subject : CN=www.msi.net
CertificateDomains : {www.msi.net, autodiscover.msi.net, mail.msi.co.uk, msi-msx2010.msi.net, msx-2010.msi.net}
Thumbprint : 4D1B1E7ED14C61A32E2477FD3A7880E9A73A2FA7
Services : SMTP
NotAfter : 28/09/2027 13:30:25
Subject : CN=MSI-MSX2010
CertificateDomains : {MSI-MSX2010, MSI-MSX2010.MSI.NET}
Then run the same command but replace 'SMTP' with 'IIS' to check that element.
Thumbprint : 612D813416BEA4D6754214C529E041CDACDF3A8D
Services : IMAP, POP, IIS, SMTP
NotAfter : 10/08/2023 12:43:24
Subject : CN=www.msi.net
CertificateDomains : {www..net, autodiscover.msi.net, mail.msi.co.uk, msi-msx2010.msi.net, msx-2010.msi.net}
So we can see in this case that both MSX and IIS are using an instance of the same certificate [thumbprint ends in 3A8D] for both external SMTP (and IMAP & POP) as well as IIS. The other SMTP instance is using a different certificate [thumbprint ends in 2FA7] which is only used for internal traffic and so is self signed.
Note that these command rely on the MSX Management Snapin being loaded, so you may need to run:
Add-PSsnapin Microsoft.Exchange.Management.PowerShell.E2010 [MSX 2010]
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn [>MSX 2010]