Hi Brian.
If users devices recognize your internal CA you can trust all server certificates with it .
Anyway cisco recommends to trust all tomcat certificates on UC servers and Server certificates on both Expressway E and C with a public CA.
Personally I deployed collaboration edge to one of my customers trusting only Exp E server certificate with a Public CA and all other certificates with internal CA.
Keep in mind that Exp E certificate MUST be signed with a public CA if you want to deploy Endpoints such as DX series or 88XX series to remote users to let them to join your UC services through MRA.
HTH
Regards
Carlo
Please rate all helpful posts
"The more you help the more you learn"