Per this technet article, Exchange should automatically retrieve the right certificate - it will even create self-signed certificates if none exist:
But this was not happening for me. Maybe the article is missing a step, but in order to be able to use the certificate, I had to assign the certificate UM capabilities using the command:
- To get the thumbprint of the cert you need to enable use the command get-exchangecertificate
After this, I was able to start the MSExchangeUM service.
Note: In order for this work with OCS, a cert from a CA trusted by the OCS server(s) and Exchange must be used or the self-signed cert must be installed on the OCS server.