In Exchange 2007, certificates were a thing for powershell. I personally relied on www.digicert.com's CSR generator to build MOST of my certificates for customers to ease the pain of this. Apparently this hit Microsoft's radar and in 2010, this has been addressed with the certificate wizard. In the EMC, this is located at the root of the Server Organization (since a valid certificate can be applied to both HT and CAS activity, this makes the most sense.
Clicking on New Exchange Certificate, we are presented with a series of questions.
- Friendly Name - this can be anything you want "Chris Lehr cert" to the same as common name to "Exchange 2010 test cert" - whatever helps you recognize it.
- Domain Scope - One option here, do you want a wildcard certificate? If you do, you skip the next step.
- Exchange Configuration - I will screenshot this because it is pretty impressive. You get to run through the different certificate needs, what you will use, and what names (internally and externally) will be used. This then builds the certificate request for you.
You can pick and choose the names as you select items you decide to use.
- Organization and Location - be sure to use information matching your domain registration for any externally facing domains. Also, you can specify the certificate request file path here.
- Review Settings and complete.
We utilized www.Digicert.com for a SAN cert again, and when I imported the certificate request on their website, I noticed the cert request included several domain names for autodiscover of other domains we host (that we did not need autodiscover for) - this particular certificate vendor allowed us to remove names from the certificate before issuing to keep our cost down. Some other vendors add names NOT in your request. Some will only issue exactly what you ask for (and that your registrar administrators approve)