See my <a href="http://itknowledgeexchange.techtarget.com/it-trenches/certificates-who-do-you-trust/">blog entry</a> on this subject.
The process I used is as follows:
To generate a Certificate Signing Request (CSR) on an Exchange 2007 server:
<i>Prior to starting, uncheck the feature in Windows "Hide extensions for known file types".
When I pasted the cert from VeriSign into notepad on the Exchange box and saved the file as cert.cer or cert.p7b, good ol'e Windows decided to add .txt to the end of the file. You are unable to see the .txt in Explorer. So after trying to import the cert in the steps below, you will recieve an error.</i>
1. Open the Exchange MMC. Start, All Programs, Microsoft Exchange Server 2007, Exchange Management Concole.
2. Scroll down the opening screen until you see: Configure SSL for your Client Access Server. Click on this link. This will open a help window describing the steps to go through for this process.
3. If you don’t see it, scroll down the window until you see the text: 1. Open the Exchange Management Shell. Click on this link which will open the command line (Powershell) based window.
4. At this command line enter the following command making modifications to variables as needed (underlined items):
a. New-ExchangeCertificate -GenerateRequest -domainname webmaileu.company.org,autodiscovereu.company.org,vuk43xch01.ctsorg.company.org -FriendlyName webmaileu.company.org -subjectname "O= Corporation, OU=Company, C=US, S=State, L=City, CN=webmaileu.company.org" -privatekeyexportable:$true -path c:webmaileu-csr.txt
5. If the command runs successfully, a CSR file will be created in the path described in the command.
6. This CSR file will be used by the Certificate Authority (CA) to generate a trusted certificate and private key for this server.
7. Once the certificate information is returned it will need to be imported on the client access server. This is done by the following steps:
a. The certificate text file should be saved on a location where the client access server can access the file.
b. If the Exchange Management Shell is not open, it will need to be opened.
c. Run the following command, making changes as needed to the underlined variables:
i. “Import-ExchangeCertificate –path c:webmaileu.cer”
8. We now need to locate this certificate & its thumbprint to install into IIS and update the self-signed certificate. This is done by the following steps:
a. While at the command prompt in the Exchange Management Shell, type “dir cert:LocalMachineMy | fl” and press enter.
b. Locate the certificate with the right Subject name and FriendlyName for this server.
c. Copy the Thumbprint to the clipboard.
d. At the command prompt type “enable-ExchangeCertificate –thumbprint <value copied to clipboard> -services “IIS, IMAP, POP””. Press enter.
9. The IIS virtual directories now need to be configured to use SSL. This is done by the following steps:
a. Under Default Web site, select the virtual directory that you want, for example, "owa".
b. Right-click the virtual directory, and then click "Properties".
c. Click the "Directory Security" tab.
d. In the "Secure Communications" section, click "Edit".
e. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected.
f. Click "OK" to save your changes.
g. Restart IIS to ensure settings are saved.
Basically the same certificate gets installed on both the CAS and ISA servers.