I found some advice on stackoverflow about using openssl to create a PKCS12 file and then import it as a keystore using keytool:
openssl pkcs12 -export -in /etc/letsencrypt/live/sophotech.ddns.net/fullchain.pem -inkey /etc/letsencrypt/live/sophotech.ddns.net/privkey.pem -out cert.p12 -name sophotech.ddns.net
Type x when asked for the export password. Then delete keystore.test and do this:
keytool -importkeystore -destkeystore keystore.test -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass x
but it generates a keystore which breaks the server on startup (java.security.UnrecoverableKeyException: Cannot recover key).
If someone who knows their way around keytool (and/or openssl) can help with this, I suspect it might make a good addition to the FAQ...