There are many guides out there how to request, issue and install certificates for Exchange (like this one), so I won’t go into details here. But here’s a small guide how to request, import and then export it to be able to import it to your TMG server.

To create Certificate Request (CSR):
New-ExchangeCertificate -GenerateRequest -Path c:\certreq.csr -KeySize 2048 -SubjectName “c=SE, s=State, l=Location, o=Org, ou=IT, cn=webmail.lab.net” -DomainName webmail.lab.net, autodiscover.lab.net -PrivateKeyExportable $True

Once you have sent the CSR and you have issued a certificate and sent to you, save the file as certificate.cer.

Import your certificate:
Import-ExchangeCertificate -Path C:\certificate.cer

Once imported you will also see if in the certificate MMC.

To enable the certificate, you’ll need the ThumbPrint which you can get from the following command:
Get-ExchangeCertificate | fl Issuer,Thumbprint

You then need to enable this certificate on the services you want:
Enable-ExchangeCertificate -Thumbprint [paste] -Services “SMTP, IMAP, POP, IIS”

Once installed on your Exchange server you can export it so you can import it on other Exchange/ISA/TMG servers. Since the CSR was created on this Exchange server, you need to export it with the private key and this needs to be secure with a password:
$pwd = Read-Host “Put some password” -AsSecureString
Put some password: *********
Export-ExchangeCertificate -Thumbprint [paste] -Password $pwd -Path C:\Temp\test.pfx

Then you can go ahead and import again somewhere else.