1. Role: Active Directory Certificate Services
   (Certification Authority & Certification Authority Web Enrollment)
   (if asked for an expire date, put it on 2060 or so)

Summary:
First we create a certificate server for the domain, after that we export a certificate request from Exchange, we import it in the created Certificate Authority server using the web interface, then save the .cer file  and import that one in Exchange again. After all that, do not forget to import the Certificate Authority certificate on the client pcs to avoid security warnings.

Step 1: Creating exchange certificate and exporting the request:

Follow this tutorial:
http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx
- On the Organization and Location page, save the .req file for e.g. C:\Exch_req.req.
When asked to send the request to a certificate authority, goto step 2. After step 2 continue the above tutorial.

Step 2: Submit Certificate request to your Certificate server

1. In IE on your Certificate Server, surf to https://127.0.0.1/certsrv (first make sure 127.0.0.1 is a trusted website)
   
2. Click Request a certificate
3. Advanced certificate request
4. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
5. Open C:\Exch_req.req with notepad, and copy the thumbprint (the string between the  start and end message)
6. Paste this thumbprint in the Saved Request: field
7. Change the Certificate Template to Web Server
8. Click Submit
9. Download the Base64 version, .cer and .p7b version, save them to C:\exch-sert.cer and C:\exch-sert.p7b
10. Continue the tutorial from step 1.

Step 3: Get your CA certificate and create installation web page for clients (so clients accept all certificates from this CA)

1. Again goto https://127.0.0.1/certsrv/
2. Click Download a CA certificate, certificate chain, or CRL, and click Yes in the Web Access Confirmation dialog
3. Select Base 64
4. Click Download CA certificate and save it to C:\CA-cert.cer
5. Create an edit C:\Inetpub\Wwwroot\Rootinstall.asp
6. Open: http://support.microsoft.com/?scid=kb%3Ben-us%3B297681&x=6&y=7 and goto step 3, copy that text in the file.
7. Replace
   Set MyFile = fs.OpenTextFile("c:\certificates\base64.cer", 1)
   by
   Set MyFile = fs.OpenTextFile("C:\CA-cert.cer", 1)
8. Browse to the Rootinstall.asp file from a client browser. If your root certificate is not already in the store, you are prompted to install it.

Vista / Windows 7: The Rootinstall.asp page doesn't seem to work in Vista and 7, Clients have to install the certificate manual.
To allow clients to download the above created .cer file, open the Server Manager and open IIS7,

First add the mime type: (IIS > Mime Types, add extension: .cer, type: application/pkix-cert)

Second, rename the .cer mapping to .cer1 to allow the file to be downloaded by the clients.

Links
http://it.thelibrarie.com/weblog/?p=55