In previous versions of Exchange such as 2007 and 2010, certificates were installed on the Client Access server role to provide encryption between Exchange and Clients. In Exchange 2013 certificates now reside on the Mailbox and Client Access servers.
As the Client Access server role now only provides authentication and proxy/redirection logic and does not process any rendering of content a certificate is also required on the mailbox server to ensure communication between the Client Access and Mailbox remains secure. Exchange 2013 automatically installs a self signed certificate on the Mailbox server as part of the installation process. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party.
It is very important you do not delete self signed certificates on the mailbox server, doing so will break your Exchange environment!