In your voice gateway you'd need to configure it to act as an SBC, Session Border Controller, and have it configured to use TLS for the SIP trunk with your ITSP. The SBC will act as the border, so your CM won't be affected at all by this, assuming that you currently use SIP as the control protocol for your voice gateway it will integrate to it just as now. If you're using another protocol, such as MGCP it would require a SIP trunk to be created in CM to integrate with the voice gateway, in the gateway you'd need to create the needed configuration for it to integrate with CM using SIP.

In these document you should be able to get pretty much all, and then some, information on what you'd need.

Cisco Unified Border Element Configuration Guide - Cisco IOS XE 17.6 Onwards 

Explain Cisco IOS and IOS XE Call Routing 

Cisco Unified Border Element (CUBE) / SIP Trunking Solutions White Papers 

“Who should generate the certificate?”

If your provider will accept a self-signed certificate, you can generate it locally on the router. If not, you will need a signed certificate from one of the CAs your provider trusts.

“Is this certificate global, or will it only be used for the SIP trunk connection with the Carrier link?”

You decide that in the router config. If applied in the sip-ua section it is global for all TLS dial-peers. If applied through  voice class tenant, only the dial-peers that tenant has been applied to.

“What would be the impact of this certificate on my production environment?”

It’s not reasonable to expect a comprehensive answer from folk that have never touched your environment. A few possibilities:

• Older router generations had a performance penalty for TLS overhead. Check the CUBE sizing deck.
• Assuming you leave the CUCM-facing side of CUBE unencrypted, understand SRTP-RTP interworking limitations.
• The trunk will stop working if you forget to renew the certificate.
• External NAT devices (e.g., Internet edge firewall) won’t be able to rewrite IP and UDP port details in SIP headers or the SDP body. You would need to use a SIP profile on CUBE - or give it a publicly routable IPv4 address.

”… is there any document that can help us with this configuration?”

Start with the SIP TLS Support on CUBE chapter of the config guide. There is also a Tech Note to Configure SRTP-RTP Interworking on CUBE . Some of the config examples on the CUBE interoperability portal  will also include TLS config.

“Do we need to validate proxy, firewall rules, create any ACL or NAT rules on the Gateway router (if there is a firewall)?”

If you have a firewall between CUBE and the provider, yes. As I mentioned above, external NAT devices won’t work with TLS. It’s ultimately your network; only you can really answer this question.

“Do I need a license for the SIP trunk with the Operator to work?”

Yes. CUBE Standard trunk session licenses for the maximum concurrent call volume.

“

How would TLS work with the operator? For example, in ISE eap-tls authentications, the client's CA signs my certificate.”

This seems repetitive to the “who signs the cert” question above.

“And when integrating my CUCM with the operator's dogotronco, how would it work?”

SIP trunk on CUCM to CUBE with dial-peers facing CUCM and the provider.