Certbot has an autorenew feature via the command certbot renew. On Unix, this is run automatically from the cron or systemd periodic command schedulers, but I'm not really sure what happens on Windows! Maybe this is described in the Certbot documentation, though.
In terms of your Tomcat integration and renewals, the Certbot automated renewal will give you updated versions of the PEM files, not an updated version of the p7b file. However, if you can do the p7b conversion via commands on your own machine, instead of on somebody else's web site (probably using OpenSSL), you could make a deploy hook script which you can ask Certbot to run whenever the certificate is renewed (in order to "deploy" the new certificate). This could include the commands that need to be run to update the p7b file based on the contents of the newly-updated PEM files.
I'm sure you'll notice that Certbot's history and documentation are pretty Unix-oriented, since Certbot was written for Unix and only ported to Windows last year. If you find Unixisms in the documentation that just don't make sense on Windows, please bring them up here or on the Certbot GitHub page so that the documentation can be improved!
Some people using Tomcat have also had a better experience using a different application as a reverse proxy to terminate TLS connections, and then forward them to the Tomcat instance on localhost. For example, you could use nginx or Caddy for this purpose (among other options). In that case you can use the more complete and integrated tools for getting a Let's Encrypt certificate in those applications, and then just use them, not to serve any content, but instead to forward all incoming connections to Tomcat running on some port on localhost on your machine.
I'm starting to find myself promoting my own app Certify The Web (https://certifytheweb.com) maybe a little too much but it does provide a dedicated Tomcat deployment task which will create the file for you.
