If you mean MRA
1) Not required, unless you want to have calls with something registered to the VCS-C
2) CUCM authentication and encryption is separate, and optional, for MRA. MRA will take care of securing the channel between the endpoint and the VCSs, then it will be un-encrypted once in your internal network
3) Not really, but will make your life a lot easier to have them all from a single CA.
If you haven't, I suggest you read the MRA config guide for the version you'll be deploying.
HTH
java
if this helps, please rate