After our initial migration from 2003 to 2010 everything had been running swimmingly. The Exchange 2010 server automatically made a default SSL certificate that it was using for everything but for obvious reasons external access to OWA didn't count as secure.
I purchased the appropriate SSL certificate for our OWA server and applied it via the Exchange 2010 management console. Unfortunately during that process it decided that it would also apply itself to SMTP in addition to the OWA required services. So *now* when an internal user opens Outlook they are immediately prompted that the SSL certificate is showing the incorrect name (twice). You can accept it each time and move on, but I need to get back to the point where the internal certificate is assumed valid for SMTP and the purchased one is still used for external connections (which are working atm).