What the bug description doesn't include is that after the Upgrade to 12.x and the ITL Certificate is regenerated, the phones will be unable to update their ITL because they're no longer trusted.

In a mixed-mode cluster if you need to update the CTL File it is also signed by the new ITLRecovery certificate which will also not be trusted by the phones.

Basically 12.x the "main" signer of ITL and CTLs became the ITLRecovery Certificate. This is great because it's got a validity of about 20 years so no more freaking out whenever your Callmanager certs are expiring. The commands to "reset" the CTL and ITL now will revert to the Callmanager certificate as a signer. This change is however not well documented and you'll need to take manual action if you want your phones to trust the cluster.

In a mixed-mode cluster you need to use the "utils reset ctl localkey" to force the CTL File to be signed by the Callmanager certificate again. After resetting phones they'll be able to update their CTL and ITL files (since the ITLRecovery Certificate is now in the CTL File, the phones will now accept the ITL as well). After the phones update, you can then sign the CTL file again with "utils ctl update CTLFile" which then will sign it with the ITLRecovery certificate (and reboot the phones again)

In a non-secure cluster you'd probably just need to do the same but for the ITL "utils itl reset localkey" to resign with Callmanager cert. Reset phones. Then update it normally I guess? (I pretty much only have customers with Mixed-Mode clusters so haven't tested this).