How to Determine When to Use Certificates Issued by Public CAs and When to Use Self-Signed Certificates?

Whenever your users are access Exchange components that require authentication and encryption from outside your corporate firewall, it is time to deploy a certificate issued by a public CA. Let users are accessing Exchange ActiveSync, POP3, IMAP4, and Outlook Anywhere. so in this case you require a certificate that is issued by a public CA.

A self-signed certificate used by Exchange 2007 component that uses Kerberos, Direct Trust, or NTLM authentication. These are all internal Exchange 2007 components, to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.