I re-generated the CSR, signed it and uploaded the root/intermediate chain to tomcat-trust and the server cert to tomcat and rebooted. (this as per instructions)
I then still saw the old root/intermediate in appadmin/cuic/finesse (but the correct server cert), so I clicked generate self-signed and rebooted,
then performed the above steps again.
This time appadmin (/appadmin) & finesse (:8445/) are fine, but CUIC (:8444/) is showing an invalid cert because it's still using the old (expired) root/intermediate chain. (all running on the same server..)