At present updating CUCM certificates is a process which requires methodically updating one certificate after the other with several service restarts in between.
I would like to suggest that assuming the following:
1) DB replication is working
2) CTL is tokenless (assuming CTL is in use). If it's hardware based then it would require user intervention.
3) Other sanity checks
That a maintenance window can be configured from the Publisher to gracefully update the certificates whilst including time windows when service disruption is acceptable. This would include a status window showing the process of the certificate updating process and whether it has been stopped due to any issues.
Thanks for your consideration.