Log into the Exchange Admin Center by going to your CAS server at https://CASSERVERNAME/ECP:
Now navigate to Servers->Certificates
Select the CAS server you want to push it to, in our case we will select PHDC-E15CAS01.E15.corp
Now, select the + sign which will bring up the New Exchange Certificate wizard:
Create a friendly name for the certificate:
At the next screen you can decide to request a wildcard certificate, where you would enter the root domain. For example, if you wanted a wildcard certificate for exchange15.com, your screen would look like the following:
If you want to create a SAN certificate, leave this unchecked and select next.
Select the server to store certificate on, in our case, the same server we are requesting it for PHDC-E15CAS01:
Next, you need to select the services that you want to assign to the external domain, and the FQDN of that service. In our case, everything will be to email.exchange15.com. Select each service that does NOT say (when accessed from the intranet) and click the pencil icon to edit the domain:
When you click next, it will show you the domains that will be added to the certificate. If you have any accepted domains in your organization, it will add the autodiscover.accepteddomain.com entry to the certificate:
When you click Next, you will need to fill out the information for the organization requesting the certificate:
Select the location to save the certificate. If you don’t have a network share pre-configured (with the exchange trusted subsystem as an administrator), then you can store it on the C drive of the CAS server with \\phdc-e15cas01.e15.corp\c$\newcertreq.req
Now when you see the request, it will be pending:
Now we need to submit this request to a certificate authority to complete the request. In our case, we will use a Windows 2008 R2 CA to do so.
Log into your certificate authority at https://CA/certsrv
Select Request a Certificate-> Advanced Certificate Request-> Submit a Certificate Request by using…
Open the request you saved before in notepad:
Copy and past that into the Base-64-Encoded…field, and set the Certificate Template to Web Server:
Hit submit to finalize, and you should see the option to Download Certificate or Download the Certificate Chain. Select Download the certificate and save the file to the shared location that you saved the request file to. Next, download the Certificate Chain to the same location, as we will need to import the CA certificate to the host to ensure it trusts the certificate. certnew.cer is the exchange servers certificate, certnew.p7b is the CA certificate.
To import the Certificate Authority certificate, RDP into PHDC-E15CAS01. Open up a blank MMC console and add the certificates snapin for the local account:
Expand and select Certificates underneath Trusted Root Certification Authorities
Right click Certificates select Import->All Tasks->Import
Select the Certificate Authority certificate you downloaded before:
\\phdc-e15cas01.e15.corp\c$\certnew.p7b
Select Next and Finish.
Return to Exchange Admin Center, select the pending request certificate, and on the right hand side select Complete
A new dialog box will open up, enter the path to the certnew.cer file, in our example this would be:
\\phdc-e15cas01.e15.corp\c$\certnew.cer
Now we need to assign this certificate to the specific services we want, select the certificate and click the pencil icon. Then click services, and lets check off which services we want. We are going to want to add SMTP and IIS:
You will receive a warning about overwriting the existing certificate, just select yes:
That’s it, you are all set! When we go to the site and check the certificate:
We are now utilizing the new cert!