I have seen dozens of Exchange 2010 deployments using wildcard certificates to publish OWA. Which works great, unless your trying to integrate Lync and your wildcard OWA!
The process of getting around this is pretty straight forward, but is not at straight forward coming up with the solution.
When configuring your OWA virtual directory for Instant Messaging you need to assign the certificate thumbprint you will be using
The problem is if you use the wildcard certificate you will not able to sign in to IM in OWA. you will see " Instant Messaging isn't available right now. The Contact List will appear when the service becomes available".
To resolve this we need to request another certificate from our Internal Certificate Authority to use strictly for this integration.
Go to MMC -> Add/Remove Snap-in and select Certificate. Select Computer. Navigate to Certificates -> Personal, right click Personal -> All Tasks and "Request New Certificate..."
If you do not have the "Web Server" template available. You need to add your exchange server to the certificate template as Allowed to Enroll under the Security tab.
Next specify the Trusted Application FQDN of the exchange server you used in your Lync Topology
Also you can add additional SAN names if your users use different FQDN to access OWA (internal and external)
Confirm the thumbprint of your new certificate
Apply the new certificate thumbprint to your owa virtual directory by running the following command
PS: > Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint <New Certificate Thumbprint>
Just for safe measures, confirm the new thumbprint was added
And note that the certificate I'm using for OWA is still the wildcard! The new certificate is only being used for the integration, and not assigned to any exchange service.