Exchange CSP/CNG SSL issue reminder

1. Ok, after a few hours... here we go:
2.  
3. Exchange 2013 will only make a CSR in SHA1, our CA will only accept in SHA2.
4. IIS/Certificate manager will generate a CSR in SHA2, but only in CNG not legacy format. (Legacy again is sha1)
5. Exchange won't use CNG (MS RSA Key) for ECP or OWA.
6.  
7. I spent ages trying to generate the right CSR, and in the end made it with Certificate manager, it all seemed to go through.
8. Imported it into the server, reset exchange to use it, and restarted IIS.
9.  
10. Everything seemed to work! Went to log into ECP, got web page, got right cert. Entered username and password, and it looped to enter username and password.
11. OWA was the same. Outlook wouldn't talk to exchange.
12.  
13. Oh Shit.
14. Swapping the certs back (thank you for exchange managemant powershell...) and it all worked.
15. Must be the cert. But everything seems to be correct.
16.  
17. After digging I found that the CSR from IIS/Certificate manager is CNG, and mapped to the provider Microsoft Software Key Storage Provider. Exchange wants CryptoAPI (CSP), which can be invoked by using MS RSA Schannel. But you can't generate a CSR with this.
18.  
19. Finally, I found one post, just one, with an answer that worked, given I'd already purchased and now generated the cert:
20.  
21. OpenSSL. Seriously.
22.  
23. Install the windows OpenSSL system.
24. Export the certificate from certificate manager with the private key into a PFX.
25. Delete the certificate from the manager
26.  
27. Run openssl on it:
28. openssl pkcs12 -in OrginalCNG.pfx -out temp.pem
29. openssl pkcs12 -export -in temp.pem -out CSPCert.pfx
30.  
31. Then import it back in, in my case, I imported it directly into Exchange ECP.
32. Allocate it to the IIS/SMTP/etc systems.
33. Restart IIS (iisreset is the easiest).
34. And it all worked.
35.  
36. Maybe this will help someone, probably will help me again in the future.