There is a CLI command to (re)sign the ITL file with CallManager certificate, but, unlike the CTL file, there's no command to sign the ITL file with the ITLRecovery certificate.
By some magic of restarting TVS & TFTP processes, I managed to get the ITL file signed by the ITLRecovery certificate, but that was luck rather than skill.
Is there a known process for signing the ITL file with the ITLRecovery certificate?
This is where that information came from. In case you want to learn more.
In newer CUCM versions the ITL file is signed by the ITLRecovery by default.