Modern tomcat versions also support using pem files directly, without need to convert to p12 Enabling SSL on tomcat using pem file - Stack Overflow
If you want a p12 file, you can use openssl command line to convert; I don't believe certbot supports outputting those files directly. jks is deprecated in the java ecosystem as well, and I wouldn't recommend that; there are few tools for dealing with jks.
I haven't used it personally, but there's also projects such as acme4j which you may be able to incorporate into whatever you're running on tomcat to handle certificates directly in your Java code: acme4j - acme4j
Finally, I personally have found the performance of Java's TLS stack to be lacking sometimes compared to alternatives, and it's often better to run something like nginx, traefik, or caddy as a reverse proxy in front of tomcat to handle TLS and other tasks like serving assets. But that's a bigger change, far more than what you asked for help with 