I've recently had a bit of an issue getting an SSL Cert into exchange server when the new cert request in exchange got lost for some reason and with it went the private key file.
Unfortunately the CSR had already gone out and the public key generated so we ended up loosing that and had to start again (and pay again...).
This time round I got the Certificate provider to generate the CSR for us and provide the private key. I know this is not as secure as generating it yourself but I could not see an easy way to export the private key from exchange so decided this was a safer way to ensure we didn't loose things.
I dropped onto a linux box, created a public key and private cert file and pasted the text from the certificate provider in then ran the following command;
openssl pkcs12 -inkey private.pem -in public.crt -export -out pkcs12.pfx
After entering a good secure password this gave me the combined public/private pair in a .pfx format file.
This was transferred over to the exchange server and imported using the fairly obvious "import exchange certificate" option within exchange management console (under server configuration, on the right)
The only slight issue was that this was imported without a friendly name which bugged me a little.
I opened mmc and added the certificate manager snap-in for the local machine. The cert is added to personal/certificates, so go there, right click the cert and go to properties. Enter something sensible in the "friendly name" box (I use the date and fqdn normally). Ok that box, close MMC, refresh EMC and you are nearly there.
Last thing is normaly to then tell exchange to start using that cert for all of your connections. From within EMC, right click the newly added cert and select "assign services to certificate", pick the ones you want (don't just do all of them as picking non-configured services will prevent it from running) and you are all sorted.
Probably best to check OWA and an auto-configure session just to be on the safe side.
Incidentally, this seems to work fine on SBS as well although I don't have loads of experience of having done so.
