Hi Roger,
As per my understanding even if the certificates are shown to be assigned to some services doesn't necessarily mean they are used for those services live\currently.
When you import a new certificate and assign services to it, you would get a prompt.(provided you have old cert already in-place)
Asking to Confirm overwriting existing certificates assigned to services. as shown
here.
You can validate this by opening OWA and check the certificate presented to you.
The point is you don't need to remove the self-signed certificate which exchange generated for you.
Basically the Assigned Services will come into play when you are actually using the certificate.
For instance the IIS->Default Web Site and IIS->Exchang Back End has separate binding certificates for SSL. When you view from EAC it just shows you services assigned IIS,SMTP. But what it doesn't tell you is that its been used in two different places
or its been overwritten by a newer one already.
As explained in this article
Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate:
Exchange 2013 will not allow you to disable/unassign an SSL certificate from a service that requires SSL. Instead, you should
enable another SSL certificate to that service, which will automatically disable the existing one for you (for that specific service, not necessarily all services).
NOTE:- If you want to
remove old Godaddy certificate that no longer in use, run the below cmdlet.
Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e
Similar issue:
Remove Services assigned to Exchange Certificate:
https://social.technet.microsoft.com/forums/exchange/en-US/15e79a3e-023e-456c-a021-1d8a24bc3b82/remove-services-assigned-to-exchange-certificate