This would be the CallManager certificate, not the Tomcat cert. This would only be required if you're trying to build a TLS-protected SIP trunk to a third-party system that requires the CA-signed certificate be presented for the TLS handshake. Note that CUCM has rather uncomon key usage requirements that must be included in a CA-signed certificate.
In case you're wondering, Cisco Jabber does not check the CallManager certificate, only Tomcat.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.