I've just found an old p12 file from 2019. I was able to extract the key from that
and it does match the CA Subystem cert that expired 8 March that is listed in LDAP.
So if I could somehow generate a new certificate with this and import into the NSS DB for
/etc/pki/pki-tomcat/alias would that at least get the CA started?