End to end authentication and encryption in Cisco Collaboration and through MRA

It's 2017.  You want end to end authentication and encryption. outside and in. You should see padlocks everywhere.

Here's how to get yours.
 

Ten easy steps (super abridged version):

Look for your padlocks!

1. Sign your CUCM tomcat and CallManager certificates, IM&P tomcat, cup-xmpp and cup-xmpp-s2s certificates and UCXN tomcat certificate.
2. Activate and start CAPF on CUCM and restart TFTP.
3. Install LSCs on devices via CAPF enrollment.
4. Change CUCM to Mixed Mode and retart TFTP and CallManager.
5. Create a secure Phone Security Profile and apply to on-premise endpoints.
6. Sign Expressway C server certificate and include an alternate name to use as a CUCM device security profile name.
7. Sign Expressway E server certificate and include an alternate name of just domain.
8. Configure Expressway C and E for MRA.
9. Configure a secure Device Security Profile called your C alternative name and apply to outside CUCM devices.
10. Make calls and enjoy the padlocks.

So you want secure audio to Unity Connection too?

1. Apply a secure profile to the CUCM SIP trunk where the Subject Name is CUC FQDN and transports use TLS and port 5061.
2. Change your CUC port group to use 5061/TLS, Next Generation Encryption and sRTP.

Extra credit fun notes:

• If using TLS to secure communication between CUCM and your LDAP server, change the port from the default 389 to 636.