Rob,
I did manage to find valid .p12 files for ocsp and ca subsystem with an expiry date of 2019. Is there any way to recover this installation by inserting these? Alternatively is there a way to delete these errant certs from the NSS DB in /etc/pki/pki-tomcat/alias and get new ones issued with the correct information?
Or am I way off base here and this is a case where I'm going to have to do a fresh install of IPA, add all users, hosts, etc.. back?
Thank you