We have an NW6.5SP6 server that was upgraded from NW5.1.
It is our CA for the tree. We don't have any User certificates.

The "boss" is insisting that we do not migrate the OS to a newer server
which means we'll have to create a new CA for the tree on another server.

As I understand it I have to delete the organisational CA and create a new
one, correct?

Then I have to run pkidiag on all my server to recreate the SSL certs,

What about sdidiag, do I have to run that one?

I've read somewhere that Tomcat has it's own certs, is that true? How do I
regenerate them?

Do you see any problems with just deleting the CA and creating a new one?