Cisco Unified Communications Manager (CUCM) allows Unity Connection (UC) to register voicemail ports as encrypted. In order to do this, follow the steps in the "Cisco Unified Communications Manager Security Guide, Release 8.0(1)". The steps for configuring the ports are explained as follows from http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secuvmp.html.
Verify that you installed and configured the Cisco CTL Client for Mixed Mode.
Verify that you configured the phones for authentication or encryption.
Use the certificate management feature in Cisco Unified Communications Operating System Administration to copy the Cisco Unity certificate to the trusted store on the Cisco Unified Communications Manager server; then restart the Cisco CallManager service.
In Cisco Unified Communications Manager Administration, configure the device security mode for the voice-messaging ports.
Perform security-related configuration tasks for Cisco Unity or Cisco Unity Connection voice-messaging ports; for example, configure Cisco Unity to point to the Cisco TFTP server.
Reset the devices in Cisco Unified Communications Manager Administration and restart the Cisco Unity software.
Step 3 doesn't specify what certificate to copy on to the Cisco Unified Communications Operating System Administration trust store or where it is located. The correct Unity Connection certificate to copy can be found on the Cisco Unity Connection Administration web page. Navigate to Telephony Integrations > Security > Root Certificate. At the bottom of the screen locate the "Right click to save the certificate as a file named...." link which can be used to download the certificate (see below).
After the root certificate has been saved off of the Unity Connection server upload it to the Communications Manager Operating System Adminsitration webpage. Navigate to Security > Certificate Management. Click on upload certificate to upload the Unity Connection root certificate. Select CallManager-Trust for the Certificate field and then browse to the certificate. Click upload when finished. Lastly restart the CallManager service so that the certificate will take effect. Remember that every server that the secure voicemail ports might register to needs to have the certificate uploaded to it and the CallManager service restarted after the upload. To determine which servers the voicemail ports may register with, check the callmanager group on the voicemail ports on CUCM and also on the UC server under Telephony Integration > Port Group > Edit > Servers.