Modifying an existing keystore
With the command "openssl pkcs12" it is not really possible to modify an existing keystore, e.g. to add or remove a CA certificate or to renew an expired certificate. If something needs to be changed in a keystore, then the keystore must be re-created from scratch using "openssl pkcs12 -export ..." with input from PEM files. If the original PEM input files are no longer available, then it is possible to extract the content of the existing keystore as a whole or partially into PEM files.