I have faced this issue as well where certain 7821 phones are registering fine through the EXP-E and other are not, reporting that they cannot trust the EXP-E certificate. Unfortunately you have to stage all the phones first on premises to avoid this issue since the Cisco documentation is reporting the following:
"Certificate provisioning to remote endpoints is not supported over MRA. For example, the Certificate Authority Proxy Function (CAPF). If you can do the first-time configuration on premises (inside the firewall) including CAPF enrolment, then these endpoints can use encrypted TFTP configuration files over MRA. But you can't do the CAPF enrolment over MRA, so you must bring the endpoints back on-premises for subsequent certificate operations."
So likely phones with old firmware will not able trust the certificate and to log in through the EXP-E. That was my case.
Configuring Cloud Connected PSTN (CCP) – Easy as 1-2-3!
STEP 1: PREPARE
Before you can configure your CCP in Control Hub, you must procure PSTN services from an authorized Webex Calling CCP Partn...
To participate in this event, please use the button to ask your questions
This topic is a chance to discuss more about how to read Cisco Unified Communications trace files. In this session, Cisco D...