On CUCM 8.6 We have all certs expired. From reading the Docs on Forums etc... I am still a bit confused.
1.Do I need to enable rollback phones to pre 8 parameter and reboot phones?
2. Do I just regenerate tomcat, reboot phones, then restart TVS as also mentioned in the Docs?
3.Or am I good to regenerate all the certs and not have to reboot phones?
1 No, you don't need to, you can use it if you like to remove ITL all together while you regenerate the certs.
2 Yes, depending on which certs you need to regenerate, follow the exact order that is explained in the ITL documentation, and do the certs, one at a time, one server at a time.
3 If you regenerate all of the certs at the same time, you'll just cause all the phones to stop trusting your servers, and you'll need to delete the ITL manually on every single phone.
Some services will need to be restarted, depending on the certs being re-generated, you'll get the warnings as you do so.
Also, phones will need to reboot to get the new certs, from the docs:
After you regenerate CallManager.pem and restart the TVS and TFTP service, this happens when a phone boots.