Page History

In case you're replacing an expiring TLS certificate where the matching private key is still considered to be secure and of sufficient strength (in 2023 2024 CE for RSA keys that means a key size of at least 2048 bits) you'll want to keep using the existing private key (and PKCS#12 keystore passphrase) and generate any CSRs from that key.
To do that first extract the private key from your keystore (instead of generating a new one):

openssl pkcs12 -in /etc/tomcat10/webserver.p12 -nocerts | tail +5 > webserver.key

When asked to "Enter Import Password" supply the existing certificateKeystorePassword for the  port="443" Connector from your /etc/tomcat10/server.xml configuration file.
When asked to "Enter PEM pass phrase" simply enter/paste that same passphrase again.
And yet again, when asked to "Verifying - Enter PEM pass phrase".

Then generate a CSR from the extracted private key, either by supplying the necessary data (at least the subject) on the command line or by entering any data interactively when being prompted for it (when not adding -subj to the command):

openssl req -new -key webserver.key -out webserver.csr -subj "/CN=WEBSERVER-FQDN"

When asked to "Enter pass phrase for webserver.key" again provide the passphrase from the previous steps.

The content of webserver.csr is what you provide to your CA then, e.g. via cat webserver.csr and pasting the result into the CA's web interface.