I'd suggest finding a way to avoid generating your own CSR. When you use Certbot's --csr option, it disables most of its certificate management features, including automatic renewal.
It's possible to have Certbot generate its own keys and use a --deploy-hook to create the files Tomcat needs and reload/restart Tomcat, all automatically.
I don't personally know exactly how, though.
There are a number of past threads on Tomcat on this forum, e,g.:
See also the Certbot documentation: