Yes you can regenerate them.

You can also regenerate them through the OS administration page.

Security->Certificate management

Open the expired tomcat cert and hit "Regenerate"

Restart Cisco Tomcat on the affected node.

CLI:

utils service restart Cisco Tomcat

Try agent login.

Keep me posted

HTH

Chuck

With respect Chakshu, I feel this is somewhat wreckless advise. In my opinion, the entire topic of certificate regeneration/renewal on CUCM is a bit radioactive because of the ITL. Yes, I know that Tomcat isn’t involved in the ITL but many people don’t and that disclaimer/clarification seems important before telling someone to regenerate certificates (ie, “be careful not to touch CallManger cert without first understanding IT/TVS”). All of that aside, we also don’t know if that cert has been manually trusted anywhere else in the OP’s environment, GPO to avoid buying CA-Signed certs for Jabber to name one example.

If there is a cert problem the Tomcat security logs would show a clear error to that effect.

My guess is the first or second AXL server defined in CCX isn’t responding properly. I suggest verifying that the CUCM Publisher is listed first and then possibly restarting that service on CUCM.

Just to close down the post.  It was indeed the expired TOMCAT self-signed certificate that was causing the finesse login to fail. 

Symptom was: After entering login credentials to finesse login page, the page fails to load anything, you just see the page waiting to load.  No error is returned.  If you restart Finesse TOMCAT service, you briefly get an "invalid username or password" message before the symptom goes back to not loading anything at all.

Thanks