I've just found an old p12 file from 2019. I was able to extract the key from that and it does match the CA Subystem cert that expired 8 March that is listed in LDAP. So if I could somehow generate a new certificate with this and import into the NSS DB for /etc/pki/pki-tomcat/alias would that at least get the CA started?