"When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers"
Does this imply that in a 2007/2013 deployment the certificate must be installed on the 2013 CAS server AND all 2007 Mailbox & Client Access Servers ?
Output from the EDA only documents installation on the internet facing 2013 CAS server.
The question was really around the servers on which this certificate should be installed. It's clear it is generated and installed on the 2013 server as it's the endpoint for all incoming connections but the EDA makes no mention of installing the certificate on the 2007 servers. - although it makes complete sense to do so