Exam 300-820 topic 1 question 119 discussion

Answer B: When configuring a secure SIP trunk (TLS) between Cisco Unified Communications Manager (UCM) and Cisco Expressway-C, the Cisco UCM must trust the certificate presented by the Expressway-C during the TLS handshake. The certificate for Expressway-C should be uploaded to the CallManager-trust trust store in Cisco UCM, which is used for managing and storing the certificates for secure communications, including SIP trunks. The other trust stores are used for different purposes: - tomcat-trust: This is used for Tomcat-based applications (web services), not for SIP trunks.

A and B Cisco Unified Communications Manager Certificates The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote Access are the CallManager certificate and the tomcat certificate. These are automatically installed on the Cisco Unified Communications Manager and by default they are self-signed and have the same common name (CN).

B is correct

"the administrator will upload the Expressway server certificate to the trust store" (CUCM) https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-and-X8-1.pdf

Loading server and trust certificates on Unified CM Certificate management for Unified CM is performed in the Cisco Unified OS Administration application. All existing certificates are listed under Security > Certificate Management. Server certificates are of type certs and trusted CA certificates are of type trust-certs. Unified CM server certificate By default, Unified CM has a self-signed server certificate CallManager.pem installed. We recommend that this is replaced with a certificate generated from a trusted certificate authority. Unified CM trusted CA certificate To load the root CA certificate of the authority that issued the Expressway certificate (if it is not already loaded): 1. Click Upload Certificate/Certificate chain. 2. Select a Certificate Name of CallManager-trust. 3. Click Browse and select the file containing the root CA certificate of the authority that issued the Expressway certificate. 4. Click Upload File. Repeat this process on every Unified CM server that will communicate with Expressway. Typically this is every node that is running the CallManager service.

Tomcat-Trust = tls verify callmanager-trust = secure device registration In the question it's talking about the initial SIP Trunk standup, not device registration. So i'd lean toward Tomcat-trust A. https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc13

The question is marked with an asterisk, since the correct answer here, as far as I'm concerned, is AB: Upload the root and intermediate (if there are any) certificates on CUCM: In the new window, start to upload the root.pem certificate you got from Step 1. Upload it first as 'Tomcat Trust' Click or select the 'Upload' button and next you must see "Success: Certificate Uploaded". Ignore the message about restart Tomcat for now. Upload the same root.pem file now as 'CallManager-trust' for the 'Certificate Purpose'. Repeat previous steps (upload as 'tomcat-trust' and 'CallManager-trust') for all the intermediate certificates you have. https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/217748-upload-the-root-and-intermediate-certifi.html