tashatuvango - Fotolia
You might think a free or inexpensive Exchange security certificate is a good idea. It's not.
Inexpensive or free Secure Sockets Layer (SSL) certificates might save on the bottom line, but they will cost you in other areas. If that certificate you got a deal on isn't working properly, then don't expect top tier support to correct it. Also, the point of an SSL certificate is security, which will be lacking without an investment with one of the more reputable dealers, such as RapidSSL and DigiCert. Hackers and malware will find a way around that low-cost SSL certificate or manipulate it to gain access to your servers.
You can check your SSL certificate status and rating on many websites. I use Qualys SSL Labs. It tells you about your cipher suites -- the group of algorithms that handle authentication and encryption -- and rates the certificate.
Stay on top of the SSL certificate expiration dates, and don't let them lapse. If you don't renew them, your users will get pop-ups when they open Outlook and when they log in to Outlook on the web. Some browsers might not let you access the website. Exchange will prompt you well in advance as a certificate's expiration date nears. A certificate check on SSL Labs or a similar site should also reveal that date.
Another thing to look out for is your SSL certificate chain. If you lock down your Exchange Server so it does not have access to the internet except for mail or user access, then you will also get an invalid certificate error message in Exchange. The same goes for your load balancer because it handles all traffic from the internet and is essentially your firewall. The SSL certificate needs to be kept up to date here to avoid a break in the chain.
It helps to stay on top of any news related to certificate changes to see if they affect your organization. In 2018, an issue with SSL certificates from Symantec resulted in Google requiring certificate holders to reissue their SSL certificates.