This will help you resolve the error "Host not Found" in CallManager 8.x where the ITL files are causing that the phones losses trust with the servers.
Please keep in mind that so far there is no way to know why the ITL files change in most of the scenarios due to CSCtx26418
We have been seeing these issues basically in the following situations:
Certificate regeneration without the proper follow up procedure(restarting CUCM, TVS, TFTP, resetting phones). Certificates can be regenerated explicitly by users through CLI or UI or the regeneration can be triggered by a change in the server network configuration (hostname, ip or domain name changes). In 8.6, we have implemented a more automatic handling of certificates regeneration. TFTP automatically detects the change and phones are also automatically reset so user intervention is not required.
DRS restore sometimes causes sync problems between the file system and the database. Normally, certificates are stored both in the file system and the database and they should be in sync. If they are not, problems as the one observed here would occur.
Not as frequent but we have seen problems with particular sequences of upgrade due to the delay in sync'ing up different copies of the database in the cluster. After upgrading a subscriber, it takes some delay for its copy to sync up with the Pub's. As a result, different copies of the database might not have all the current certificates thus causing problems in the generation of the ITL File. This can be a problem in deployments where the TFTP runs on a sub.