Certificate issues of Exchange Server 2016

Hi

There is a certificate issues of Exchange Server 2016.

Our internal domain of Active Directory (Windows 2016) name is test.net and the external domain name is aisa.com. There are two site A and B connect with leased line.

Site A:
Five Exchange Server 2016 :
Lan subnet : ex01.test.net, ex02.test.net and ex03.test.net (Mailbox and CAS roles)
DMZ subnet : ex04.test.net, ex05.test.net (CAS role)
All internal and external clients (Outlook, Mac Mail, iPhone, Android and OWA) connect Exchange Server using name hkexchange.aisa.com.

Site B:
Three Exchange Server 2016 : tk01.test.net, tk02.test.net and tk03.test.net
All internal and external clients (Outlook, Mac Mail, iPhone, Android and OWA) connect Exchange Server using name tkmail.aisa.com.

Existing certificate of Exchange Server is self-sign with internal CA and the self-sign certificate install on all Exchange servers. Certificate include the following subject name:

ex01.test.net
ex02.test.net
ex03.test.net
ex04.test.net
ex05.test.net
tk01.test.net
tk02.test.net
tk03.test.net
hkexchange.aisa.com
tkmail.aisa.com
autodiscover.aisa.com

There are two question:
1. If I want to purchase new certificate for Exchange Server from public, what subject name need to include in the new certificate?
2. In iOS 14.2 or above, when I add the exchange server account on iPhone or iPad, system prompt out a windows say 'Certificate not Trust' and I cannot continue to setup email account. In the past, there is a trust button when the message pop out. When I click the trust button, email account added on iPhone. I search many articles, but there is no solution. Anyone can help?

Best Regards,

Thomas