To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

• Create a request using EMS with this command
• New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
• Open the req file, and copy everything except
• —–BEGIN NEW CERTIFICATE REQUEST—–
• —–END NEW CERTIFICATE REQUEST—–
• Navigate to you CA server using the following url: http://CA-server/certsrv
• click “request a certificate” and then select “advanced certificate request”
• click  “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
• past the content in the “saved request” window
• hit submit
  •  If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
  • CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  • Restart the certificate service and IIS
• click “download certificate chain” and save the file
• On the exchange server import the certificate
• Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
• Copy the thumbprint and enable the certificate for the selected services
• Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
• Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
• On the other servers import using IIS
• On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
• Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

• On the EDGE servers open EMS and do the following
• Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
• Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
• You then have to re-establish the EDGE syncronizations with the new certificate
• New-EdgeSubscription -FileName c:\newsub.xml
• Copy the xml file to the internal servers
• On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
• To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
• To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
http://www.exchangeinbox.com/article.aspx?i=114
http://msexchangeteam.com/archive/2007/07/02/445698.aspx