If we use self-signed from the app itself , does that mean that all users need to download it when they wish to access the server ?

Yes you will need to download the cucm self signed certr into your users PC trust store, otherwise each time a user access the CUCM user/web admin page, they will be presented with an un-trusted certificate prompt.

CA – Each user already has a cert as part of grp policy so I just need to create a CSR and pass it to the CA to create cert and then upload this to the Server and by default users can access the server since they have a cert as part of the grp policy ?- is this correct ?

 Yes this is correct.

 what are the steps ?

The steps are as follows:

1. Generate a tomcat CSR

2. send the CSR to your CA to sign

3. Upload the CA root cert to your tomcat-trust store on CUCM

4. Upload the signed tomcat server cert to your cucm.

Self-signed – Each user needs to down load the cert from the CUCM app in their browser before accessing the CUCM server or use the companies root certificate which has been uploaded to the CUCM server and so by default the users do not need to download any cert themselves?

You might need to do this yourself as an admin. Or write a document informing users on how to do this. This is why its better to use an enterprise CA, since the root CA is already present.

 

How can you confirm whether the CUCM application only have its self signed or a CA signed

You can easily browse to the cucm web page and check the cert issuer. If the issuer is the CUCM itself, then it is a self signed cert.