Originally, Tomcat has had support for Java keystores only. Creating a JKS requires you to import your PEM key and certificate into a PKCS12 container first. Then, you have to import that PKCS12 into a Java keystore. Luckily, recent versions of Tomcat support PEM and PKCS12 directly. I tested with Tomcat 8.5.93.
If your SSL key and certificate are two distinct, unencrypted PEM files, where the key starts with -----BEGIN PRIVATE KEY----- and the first line of the certificate reads -----BEGIN CERTIFICATE-----, then edit conf/server.xml in your Tomcat directory. Search for a line that defines a <Connector port="8443" and uncomment the whole block. Now add an SSLHostConfig section with the connector, which references your key and certificate. The whole block should look like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig>
<Certificate certificateFile="conf/www.your-domain.invalid.crt"
certificateKeyFile="conf/www.your-domain.invalid.key" />
</SSLHostConfig>
</Connector>
This is almost identical to a JKS, but you have to alter the keystore type:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/www.your-domain.invalid.p12"
certificateKeystoreType="PKCS12" />
</SSLHostConfig>
</Connector>
Usually PKCS12 containers are encrypted. Thus, you have to place its password along with SSLHostConfig:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/www.your-domain.invalid.p12"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="verySecret" />
</SSLHostConfig>
</Connector>