First, I think you might have confused
/etc/letsencrypt/renewal. The contents of
/etc/letsencrypt/live are subdirectories referring to particular certificates that you have and each one of those currently has only four files,
keytool utility is used for editing Java keystores (JKS), which is important when using Tomcat and some other Java-related server environments. However, there is nothing particularly macOS-specific about this; you would also likely use
keytool with Tomcat on Linux, while you don't need to use
keytool for Apache on macOS. People who aren't using Tomcat or Java servers don't need to use
keytool as part of their certificate setup or renewal process.
Whether or not you have to renew manually depends on how you originally got your certificate. It might not be that uncommon for Tomcat users to do so, but many other people's environments can renew just by running
certbot renew or
certbot-auto renew, and can often do so automatically from a periodic job run from
systemd, without needing any human intervention at all.
I don't think this is relevant to @Belph's situation because @Belph was using Apache on Debian.