Exchange 2010 SSL Cert Gotcha's

There are plenty of sites that show you how to apply a new SSL cert to your Exchange 2010 Environment. There are a few gotcha's though that quite a few seem not to mention. Here are the ones I ran into when I did this the other day:

1. The SAN Certificate is specific to the machine used to create the cert request, it cannot be imported to any other Exchange servers unless you first export it as a PFX. You must re-key the certificate using a new request from the new server. Back in the 2003 Exchange days, you could just move the *.domain.com cert from one server to another pretty easily. Not so with 2010.
2. During the 2nd part of IMPORTING the certificate using the “New Exchange Certificate” wizard, you must have the certificate REQUEST file (.req) you created in the beginning in the same folder as the certificate you download from the SSL provider. Exchange uses both to format the certificate. 
3. If you have a Forefront TMG Server in front of your Exchange Server, you will need to update the SSL cert on this device as well.