I was just suggesting that editing the tomcat start script so that it generated the keystore every time you started tomcat might be easier than doing it manually every three months.
The passphrase is anything you want it to be, just make it the same in both places.
I found a tutorial about JKS files on our forum here:
Someone more familiar with that method would have to help you with that if you run into trouble. Perhaps if you change your thread title to reference tomcat a Java expert might notice.
I'm far from a Java expert, so for the two tomcat servers and one jetty server I'm forced to administer, I just use openssl to generate PKCS#12 files as described in my earlier comment. Tomcat accepts these as a keystore format in addition to JKS, and they also work with Microsoft IIS so it's one less command I have to remember.