I've been observing multiple issues for some time, unable to enroll new clients etc.

Finally found out that the possible root cause is the expired Server-Cert cert-pki-ca and therefore pki-tomcat service won't start

Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/

Request ID '20171204131518':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=....
subject: CN=....
expires: 2022-04-25 17:06:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"

Other certs in  /etc/pki/pki-tomcat/alias/ seem to be ok but this one.

I'd like to understand how to perform the forced update for this one, i assume it must be renewed automatically though

I tried to invoke post-save command manually but no luck.

Appreciate any ideas