I think I chose the most unfriendly mix of technologies...
Here is the setup:
Atlassian JIRA Server for Windows, self-hosted on a laptop at home. (I chose Windows because it lets me create a "hot" image backup as a very simple DR plan.) JIRA is currently happy using http, port 80.
Using letsencrypt-win-simple, I was unable to give it a local file system path that it could write to for the ACME verification so I temporarily stopped the JIRA service and ran Mongoose web server. That worked and it gave me the following .pem files:
Using this post as a reference, it looks like I just need the full chain .pem file and the private key .pem file but which one is which from above??
Using trial and error, I successfully ran the following:
openssl pkcs12 -export -in jira.findmyshit.ca-crt.pem -inkey jira.findmyshit.ca-key.pem -out fullchain_and_key.p12 -name tomcat
and then successfully ran:
"C:\Program Files (x86)\Java\jre1.8.0_131\bin\keytool.exe" -importkeystore -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -alias tomcat -deststorepass _my-password_ -destkeypass _my-password_ -srcstorepass _my-password_
"Successful" simply means that I did not get any errors.
Using these instructions from Atlassian, I copied MyDSKeyStore.jks to the JIRA folder as jira.jks and used JIRA's config.exe as per the instructions. However, hitting config's "test" button, I got "The private key could not be found in the keystore".
I suspect that I am doing something wrong at either the openssl or the keytool phase.
Once I learned about Certify here, I hoped it would output more friendly .pem files but all I found was the Visual Studio project, which seemed to be missing ACMESharp, and downloading that as a separate project seemed like a rabbit hole.
I'm really hoping that someone can point out my folly(ies).