Tomcat uses either Java keystore files or pfx files. Personally, I find the latter easier to deal with, but if you prefer to use Java keystore files, there is a guide here.
To generate a PFX file, with certificates already issued by certbot:
cd /etc/letsencrypt/live/yourdomain.com
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:apassword
You can also do this in a renew hook too so you don’t have to do it manually every three months.
Then, configure tomcat to use it, e.g.:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/letsencrypt/live/yourdomain.com/bundle.pfx" keystorePass="apassword"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
If you don’t have a certificate yet and tomcat is listening on port 80, you can obtain one with the http-01 verification method, e.g.
sudo certbot certonly --webroot -w /path/to/tomcat/webapps -d yourdomain.com -d www.yourdomain.com
EDIT: I updated the tomcat configuration with sahsanu’s advice downthread.