I've read two Cisco documents on setting up a secure SIP trunk between CUBE and CUCM. Both documents talk about importing every node's Callmanager certificate into CUBE.
But what if you've got a multi-SAN certificate for CallManager? (I.e. One certificate for all nodes in the cluster) Do I have to import the same certificate for each node in the cluster, or is there another way to do it?
This follows the same basic rules of certificates/encryption you would follow in CUCM, there's nothing special in that regards.
Most likely the doc you looked at did that because they were using self-signed certs, and then each server acts as a standalone CA.
In my lab as I use the same CA for everything, I generated the CSR request on the ISR, had it signed, then uploaded the same root CA I use in CUCM and the signed certificate and that's it. I'm able to have TLS/SRTP between them