From MozillaZine Knowledge Base

Issues with the content of this page

This page doesn't offer any explanation for the sources from which one might obtain a PKCS12 file (.p12 or .pfx) with one's SMIME certificate and private key. It suggests that such a PKCS12 file might contain a certificate issued by a recognized CA, or might contain a self-signed cert, but it offers no clues about how a user might obtain a PKCS12 file of either form. One does not obtain a PKCS12 file from a legitimate CA. A PKCS12 file contains a copy of the private key, and the CA that issues the certificate has NO BUSINESS having a copy of the private key. The usual sources of PKCS12 files are:

1. Made by FireFox as a "backup" of a certificate and private key after successfully enrolling for a certificate from a CA over the web, or
2. Produced as a self-signed cert with OpenSSL or with Mozilla's NSS tools.

The page claims that a self-signed cert cannot be imported from a PKCS12 file unless the certificate has first been imported into the "Authorities" tab. I have not verified that, but if it is true, that is a bug in the product. There should be NO prerequisites to importing a PKCS12 file.