Simple answer is that you should NEVER let your system work with expired certificates.
If you don't want to pay for CA certs, or don't want to get internal CA certs, you can just use self-signed certificates.
As to your questions to the call flows and tomcat, strongly suggest you review the documentation related to the usage of each certificate to understand when they're used.
HTH
java
if this helps, please rate