From 2015 you won't be able to get an SSL certificate for a .local domain name. If you're looking to buy a 5yr certificate like me, then that's going to cause you some issues. Here's how to work around it...
First of all, import your new SSL certificate by creating a CSR without your .local addresses, and process it on your CA's website. Once you have your certificates, complete the process in IIS and then Exchange.
To get the thumbprint, run the following command and note the new and the old thumbprint (the expiry dates may help if there are a lot of them):
Get-ExchangeCertificate | fl
If you redirect users from HTTP to HTTPS then it won't work from EMC and you'll have to use the following command in EMS to switch IIS over to the new certificate:
Enable-ExchangeCertificate -Thumbprint -Services "IIS" –DoNotRequireSSL
If for any reason you have to switch IIS back to the old one, then just run the above, but use the old thumbprint instead.
Now that IIS is using the new certificate which doesn't include your .local addresses, you are going to get errors in Outlook when it tries to do things like sync the OAB. You'll need to force the following 3 URL's to the same as your external ones.
Before I made the changes I ran the following commands so that I could make a note of the old URL's in case anything went wrong. Note the old Internal URL's or better still, capture the screen:
Get-ClientAccessServer -Identity |fl
Get-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" |fl
Get-OABVirtualDirectory |fl
Set Autodiscover Internal URL:
Set-ClientAccessServer -Identity –AutodiscoverServiceInternalUri https://your.public.address/Autodiscover/Autodiscover.xml
Set Exchange Web Services Internal URL:
Set-WebServicesVirtualDirectory -Identity "SERVERNAME\EWS (Default Web Site)" -InternalUrl https://your.public.address/ews/exchange.asmx
Set Offline Address Book Internal URL:
Set-OABVirtualDirectory -Identity "https://your.public.address/OAB
Once complete, several guides say to click Recycle in IIS>Application Pools>MS Exchange Autodiscover, but that didn't work for me. I just stopped and started MSExchangeAutodiscoverAppPool instead.