Thanks for the explanation, Jon.  If we were going to attempt to connect to Office365, we reasoned we would not be able to use a self-signed certificate from CUCM.  We know that with an on-premise Exchange server, we'd be able to export the root cert...

In order to generate a public cert, the CSR needs to be 2048-bit.  In CUCM 8.5, the only CSR you can generate with a 2048-bit key is the tomcat cert.  Can that cert be leveraged by the Secure SIP trunk?