Further information: I believe the tomcat docs don’t mention the private key because they assume that you are using an existing keystore that was used for the CSR and thus contains the private key already (at least I think so…).
So I guess I am required to add the privkey generated from the LE client into the keystore but I am unable to do so because I don’t have the password for the privkey :-/