Four Exchange servers:

Mailbox servers: Ex1 and queen
Client Access and Hub Transport servers:FW and EX2

Wildcard certificate

CN=*.1ask2.com
SAN(Subject Alternative Name)=*.1ask2.com

Run Exchange Best Practice Analyzer

The subject Alternative Name (SAN) of SSL certificate for ... does not appear to match the host address. Host address:ex2.1ask2.com. Current SAN: DNS name=*.1ask2.com.

Request a new wildcard certificate as follows:

Assign the new wildcard certificate to the two client access and hub transport servers.

Re-run the Best Practice Analyzer

The warning is gone.