Tomcat needs to query the certificates thorough OCSP (Online Certificate Status Protocol )

Release : 12.1

Component : CA OUTPUT MANAGEMENT WEB VIEWER FOR ALL PLATFORMS

• Use the Java keytool to generate a self signed certificate.  It's OK to generate the OCSP certificate with keytool.  No need to download and use Openssl as it specifies on the Tomcat website.
• Submit to CSR
• CSR will submit to CA
• CA will generate signed certificate and return
• Import certificates into the .jks file (keystore).
• Edit the Tomcat server.xml to point to the keystore.

For example:

 <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="C:\tomcat.jks" keystorePass="WebView12"  
               clientAuth="false" sslProtocol="TLS"/> 

Use  SSLShopper and/or Certificate Decoder utilities to examine certificates.