Changing the OWA / ActiveSync / Outlook Anywhere certificate on TMG 2010 when migrating to a new Exchange Server

I find myself in the middle of an AD and Exchange Forest migration, and one of the tasks that came up is moving the certificates from the old/source Exchange 2010 server to the new destination Exchange 2010 server.  Here is how I went about moving the certificate

Request a new Certificate from your Certificate Authority (CA)

1. I had to revoke my existing certificate via GoDaddy’s Control Panel
2. Open the EMC and select the Server Configuration node
3. Click on a free space in the Exchange Certificates tab and select New Exchange Certificate
4. Enter a friendly name for your certificate , i.e. GoDaddy Exchange Cert, click Next
5. Select the appropriate options here, in my case it’s the following:
• Client Access Server (Outlook Web Access)
• Client Access Server (Exchange ActiveSync)
• Client Access Server (Web Services, Outlook Anywhere, Autodiscover)
6. Click Next,taking care to follow the SAN / UCC Certificate guidelines I mentioned in a previous article
7. Enter your Organization info and click Browse to select a location to save your certificate request.  Click Next
8. Review the summary screen and click New and Finish
9. Submit your Certificate request to your CA and download your certificates

Install the Certificate on your new Exchange 2010 Server

1. Open the EMC and select the Server Configuration node
2. Right-click your Certificate’s friendly name and select Complete Pending Request
3. Browse to your downloaded certificate and click the Complete button
4. Still in the EMC, right-click your certificate’s friendly name and choose to Assign Services to Certificate
5. Keep to the defaults, acknowledging any prompt to overwrite an existing SMTP certificate
6. Click Finish to complete the process

Import your new Certificate on the TMG 2010 Server

1. Open the EMC and select the Server Configuration node
2. Right-click your Certificate’s friendly name and select Export Exchange Certificate
3. Select a location to save it and click Export
4. Copy the exported certificate to your TMG server
5. Go Start – Run – MMC
• Click File – Add/Remove Snap-in – Certificates
• Click Add, select Computer Account and click Next
• Select Local Computer – Finish – and click OK
6. Right-click the  Personal – Certificates node and click Import
7. Click Next and browse to your saved certificate, enter your password.
8. Click Next and Finish to exit the import wizard

Add the Certificate to your TMG listener

1. Open up TMG Management
2. Navigate to the Firewall Policy node
3. Go to the Toolbox pane on the right-hand side and select Network Objects – Web Listeners – your Exchange listener
4. Go to the Certificates tab – click Select Certificate – Select your imported certificate and apply your changes
5. Click Start – Run - notepad %systemroot%\system32\drivers\etc\hosts
6. Replace the old Exchange server’s IP with the new server’s internal IP, ensuring you have entries for your certificate’s common name and Autodiscover hostname