damn, that sucks... easiest way would be to upgrade as it preserves the original CA signature.. re-generating the CA will mean having to re-gen tug's server cert and the client will have to re-enroll. no biggie but a PITA if something goes wrong.
well, they are running a 10 year old server...
i'll ask around for the ca re-gen command