doesnt' really mater, in both cases you can use only certificate per service
get a public certificate with the fqdn you need i.e.
mail.domain.com (assuming this is your owa url)
autodiscover.domain.com
servername.domain.int (if applicable)
and then assign it to the IIS service