There are two options to specify the PKCS#12 file passwords on the command line. password allows the password to be specified as an argument and envpass allows an environment variable to be used instead. Only PKCS#12 file passwords (not the PEM pass phrases) can be currently specified like this. The use of envpass is recommended over password because command line passwords can be seen by some utilities (for example ps under Unix).
openssl pkcs12 -in file.p12 -out file.pem
This will dump all the keys and certificates in the PKCS#12 file to file.pem. It will ask you for the password to decrypt the PKCS#12 file and the pass phrase to encrypt the output private key with.
There are a few options that select which certificates appear in the output file. nocerts will not output any certificates, clcerts will only output client certificates and cacerts will output just CA certificates. By default all certificates are output.
Similarly various options relate to the output of private keys. nokeys will not output any keys at all nodes wont encrypt the private key on output (it wont prompt for a pass phrase) idea will use the IDEA cipher, des will use DES and des3 will use triple DES (the default).
The noout option combines nocerts and nokeys: it doesn't output any keys or certificates. This is useful to just check the PKCS#12 file can be read.
Finally there are some advanced options. They will probably never be used by most people so I'll only describe them briefly. The info option will print extra information about the PKCS#12 structure, such as the encryption used and the various structures used. The nomacver will stop the program attempting to verify the PKCS#12 MAC. The twopass option prompts for separate integrity and privacy passwords.
openssl pkcs12 -export -in certs.pem -out file.p12 -name "MY Certificate"
should work with both MSIE and Netscape. The input file can contain the user and CA certificates and key in any order (only one key is used).
The export option specifies that a PKCS#12 file will be generated (rather than parsed).
The name option determines the certificate "friendly name". This is the name that appears in the listbox for Netscape. If you omit the name option then some versions of Netscape will prompt for the name to use: this might be preferable. Unfortunately if you omit the name option in some older versions of MSIE it will refuse to import the file. For MSIE you should use a unique name for each PKCS#12 file imported: this is because the private key is stored under this name and may be silently overwritten if the given name already exists.
There are two options that allow additional certificates to be added. certfile is followed by the filename of an additional certificate file to loaded. It just includes all the certificates in the file. chain automatically includes the whole CA chain: for this to work the user certificate must be trusted (its CAs placed in the OpenSSL certs directory).
The inkey option can be followed by the filename of the private key to use. By default this is read from the input file: using the inkey option you can specify a separate file.
CAs can have friendly names as well: they can be set with the caname option. The caname can be used multiple times to supply names for each CA used. Neither Netscape nor MSIE 4 make any use of them (it would be nice if Netscape used CA friendly names in its listbox) but when you use my pkcs12 program to parse a PKCS#12 file the names are printed in the output file. IE5 uses the name supplied (if any) for its "friendly name".
You only need to use keyex and keysig options if you need to load sign only keys with MSIE export version. Usually this means Authenticode. Check out Authenticode section of the main FAQ for more info.
There are also some advanced options for generating PKCS#12 files. Again they will probably never be needed by most users so I'll only describe them briefly.
maciter includes a MAC iteration count of 1000, such files cannot be imported into versions of MSIE before IE5, they can however be imported into all versions of Netscape. Use of this option makes it harder for an attacker to make a dictionary search of the password. Check out the iteration counts section of the main FAQ for more info.
noiter sets all iteration counts to 1, use of this option is discouraged because it makes a dictionary search for the password easier.
descert encrypts the certificates with triple DES instead of 40 bit RC2. Certain versions of Netscape Communicator will refuse to import such files. Since certificates are generally publically available there is no real need to strongly encrypt them.
twopass like the parsing option prompts for separate integrity and privacy passwords. If you use this option and the passwords are different then no current versions of Netscape or MSIE will import the resulting file: they assume these passwords are the same, although the PKCS#12 specification does not enforce this.