Much of this communication, particularly clients and applications, involves username and password-based authentication.
A standard SSL certificate contains a single name and is generally the cheapest to purchase, however these are not suitable for even the simplest of namespace designs.
A wildcard SSL certificate allows you to secure multiple names on a domain without having to specify the exact names on the certificate itself.
An example of this approach can be seen at the following article: In addition to the HTTPS namespace it is also common to use a separate namespace for each of the SMTP, POP and IMAP services, although it is certainly not required to do so.
There is also the Autodiscover CNAME to consider, and the root domain as well.
In a simple environment where the domain name used for email addresses is exchange2016demo.com, and taking all of the above into consideration, the namespaces could be planned as: The recommended practice is to only include aliases as namespaces on SSL certificates, and not any server fully-qualified domain names (real server names).
Due to recent changes to certificate issuance rules you may also find it impossible to request an SSL certificate for a domain name that is not internet-routable or that you do not legitimately own (e.g., domain.local).
Other information transmitted during the session may also be sensitive and prone to abuse if interception was possible.
To secure these communications Exchange Server 2016 uses SSL certificates to encrypt the network traffic between the server, clients and applications.
If you make an error with your namespace planning or need to add a name later Digicert and some other providers will allow you to re-issue the certificate at no cost, while other providers will charge a re-issuing fee.