Hi @GHAN
Not sure what you are running your apache on (OS) however I don’t believe you need to create a JKS each time (not a Tomcat expert so don’t hold me to this)
I have configured Tomcat 8.5 with just using pem files. This also means that if you use a client like certbot you can point tomcat to your live folders (which are symlinks that get updated) and not have to do anything during renewal
I think tomcat is one of those web servers that caches the certs so you may need to restart it to take new certs
Links: Using LetsEncrypt Certificates on Tomcat 8.x on Windows
Andrei