To check what certificates are expiring, go to cucm > OS administration > Security > Certificate management.
There are two types of certificates: self-signed and signed by a CA. From a security point of view you should not use self signed certificates. When installing CUCM, the certificate store gets populated with self signed certs, with a 5 year expiry period. In my experience, usually all but the tomcat certs are self signed. Which makes life a lot easier when regenerating new certs. There are a couple of types of certificate types:
3-IPSEC (used for DRF, backup)
As said, there is a big chance all these need to be regenerated because they were generated at the same time: during install.
The most important thing to keep in mind is to never regenerate both Callmanager.pem and TVS.pem certificates at the same time. I suggest the following order, that served me well a couple of times:
1) Regenerate the CallManager.pem certificate on the publisher Call Manager followed by restart of CallManager, TVS and TFTP service on PUB
2) Regenerate the CallManager.pem certificate on the subscriber Call Manager followed by restart of CallManager, TVS and TFTP service and repeat for every SUB in your cluster.
Steps 1 and 2 are impacting because restarting call manager service cause phones to fail over.
As a test after you performed steps 1 and 2, go to the certificate store and verify if all call managers now contain the newly regenerated certificate in their store. Note: there is no need to manually import certs, because replication will sync the certs between the call managers. Of course step when using CA signed certs, in step two, you will need to create a CSR, have it signed and import the cert back into ONLY the server on which the CSR was generated.
3) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the publisher Call Manager.
4) Regenerate the TVS.pem certificate followed by restart of TVS and TFTP service on the subscriber Call Manager
5) Regenerate the CAPF.pem certificate on the publisher CM server followed by regenerating it on the subscriber CM and then restart CAPF service only on publisher CM.
6) Regenerate the tomcat certificate on publisher Call Manager followed by regenerating it on the subscribers server as well
7) Restart the Cisco Tomcat on publisher Call Manager followed by subscriber Call Manager
8) regenerate IPSEC .pem on publisher, restart C: utils service restart Cisco DRF Local AND C: utils service restart Cisco DRF Master, then regenerate on SUBS (restart DRF from SSH Console).
There is really not much to it, just follow the steps in the order above, and restart the services. When I do changes like this I keep RTMT open and monitor the registration of the phones while I go through then changes; Good luck