Anyone Familiar with How Server Farms and SSL Certificates Work?

I am posting this hear so hopefully someone with some experience can help
me possibly understand what Microsoft's servers are doing.

So, randomly their email servers are presenting different SSL certificates
to clients when they connect. If the certificate used is one that we
haven't imported the Certificate Authorities (CAs) for, we get an not
trusted error on the IBM i.

Normally for this type of thing we simply use openSSL to grab the CAs and
import them using DCM. But because it's random, and the server(s) that are
presenting this odd SSL cert we can't purposely connect to, it's been a
whole day of trying to get this rogue SSL certificate (hopefully it is only
one more!)

The same thing is happening with the RESTful API servers. I got lucky with
openSSL on these and was able to get both certificates so that at least for
those using the API are ok for now.

But the smtp server is another story. I haven't been lucky enough to get
the other certificate.

How and why would this be happening? When they install a new SSL cert does
it get replicated to all the servers in the farm? Or is that don't
manually and it's possible a couple didn't get updated (at all... or "yet")?

I've tried contacting MS but so far nothing from them. I just want to know
if what I think is happening is in fact happening.

BTW, if you're on the fence between using Google or Outlook 365 for your
corporate email in the future, after dealing with both for a few years I
would pick Google over MS every time. It's faster and much more stable.
(just a vent there... haha!)

Brad
www.bvstools.com