We use Exchange Server and Microsoft Outlook for our e-mail. We use self-signed SSL certs.
You have absolutely no idea what you are talking about.
[...]
You can rollout your own CA, whether it is to use at home, or in Fortune 100 company.
You know there's a difference between using self-signed certs, and an internal CA, right?
(of course, all root CA certs are self-signed, intermediary CA certs are not, but the distinction being, you usually don't use the self-signed cert itself for anything but signing other certs).
Using your own internal CA (which you can either do by getting a commercial CA cert signed by a commercial root CA cert, or by creating your own self-signed CA cert) to authenticate/certify your internal services is good. Using self-signed certs to secure your services usually does nothing to authenticate the service to the end user, if they aren't verifying the cert fingerprints via some other method.
Why are these simple concepts so hard to understand for most people - I will never understand.
Well, in actual fact, nothing prevents software from allowing the user more control of validation of certificates. For example, nothing is stopping software from storing the fingerprints, and notifying the user when the fingerprint has changed, even for certificates signed by a trusted CA. It would be useful to be able to assign a trust level to an individual CA certificate.
But, you understood that all, right? A self-signed cert has less about it that you can validate automatically than a commercially signed cert. Everything you can validate about the self-signed cert can be validated on a commercial cert.
(In our environment, where we are responsible for 200 servers with about 50 internal users, > 5000 users inside the company, plus customers, we use an internal self-signed CA cert for all internal services such as VPNs, most internal web admin interfaces, and commercial certs for customer-facing interfaces).