Over the years I've seen number of posts related to the question of a commercial certificate in an OWA Web Publishing scenario. Nine times out of ten, the ISA firewall admin states that the commercial certificate was installed on the published Web site and they want to know what certificate to install on the ISA firewall to use for the Web Publishing Rule's Web listener.
The problem with putting the commercial Web site certificate on the published Web server is that it doesn't do you any good putting it there. The reason for using a commercial certificate is that you expect external users who aren't using managed client machines to connect to your published Web sites through the ISA firewall.
The users on the corporate network are managed clients, so I have to assume that all the managed clients on the corporate network have your enterprise CA's certificate automatically installed in their Trusted Root Certification Authorities machine certificate store. Because CA certificate distribution is automatic, you can generate your own Web site certificate to install on the OWA Web site.
You install your commercial Web site certificate on the ISA firewall to bind to the Web listener because your external clients don't have your private CA certificate in their trusted root cert store. The commercial certificate's CA certificate is automatically included with the Windows OS, and that's what you're paying for. Don't waste it by binding it to the published Web site.
Bottom line: always install your commercial Web site certificate on the ISA firewall.