While it's possible to upload a 3rd party certificate to CUCM, as far as I know the only way to do what you want to do is use the CTL client and get a pair of security USB keys from Cisco. At any rate the keys are relatively inexpensive and if you get two pairs of them you can test encryption in a lab with one pair, and then use the other pair to do a limited deployment in production, and finally build out from there. It's perfectly secure, good enough for the DOD so it should be good enough for about anyone. The big problem with the keys is that they can be hard to come by. It may be easier now, but last year it took a lot of research and a lot of begging to get them.
Just remember that for real security you also have to encrypt calls and signaling to and from the voice gateways, as well as calls that may use any hardware conferencing devices.
There are, what I think, are three good write-ups on the subject.
http://www.netcraftsmen.net/resources/blogs/configuring-calling-encryption-between-cisco-ip-phones.html?blogger=Paul+Smith
http://www.netcraftsmen.net/resources/blogs/configuring-a-secure-voice-gateway.html?blogger=Paul+Smith
http://www.netcraftsmen.net/resources/blogs/configuring-secure-hardware-conferencing.html
It's kind of a pain and will take a while to do, but it's pretty cool once you get it working.
Good Luck,
Refram
