Thanks for the explanation, Jon. If we were going to attempt to connect to Office365, we reasoned we would not be able to use a self-signed certificate from CUCM. We know that with an on-premise Exchange server, we'd be able to export the root cert...
In order to generate a public cert, the CSR needs to be 2048-bit. In CUCM 8.5, the only CSR you can generate with a 2048-bit key is the tomcat cert. Can that cert be leveraged by the Secure SIP trunk?