[cisco-voip] ITL/CTL - CUCM 11

[Gr ccie]

Hi Team,

Cucm cluster 11 was in secure mode once (using hw tokens) - then changed back to non-secure mode. The servers and phones both have the CTL files. 

1) What issues can we run into if the hardware tokens expire? (Server has itl and ctl both)
Will the phones keep trusting files when it has both ITL AND CTL, based on ITL even if the CTL is corrupt or expired. 

2) Any real benefit of updating the CTLs using the software CTL tokens by changing to secure mode and then again turn off secure mode?

3) Would it be a good idea to delete the CTL files from the server and phones if we don’t want mixed mode? How can we do it, we can delete the CTL from cli but how abt the phones - can we remove ctl by another method apart from the third party tools like phone view?
I believe LSC (being used for dot1x) would continue to operate by getting CAPF info from ITL. 

3) I need to regenerate the certificates as well on this cluster (capf/callmanager/tvs) - will it matter to have an updated CTL or expired?

4) Another unrelated question if we push a blank ITL file (enabling cluster rollback feature) and then update CTL in a secure CUCM (not something I would do but asking for sake of clarity) will it still trust the updated CTL file based on blank ITL? 


Thanks,
GR