The difficulty was getting the java keytool to import a private key. The other difficulty was getting the secret proprietary microsoft .pvk format into a form that anything else knew about.
I got it working using pvktool to convert from pvk to pem format:
wine pvk.exe -in mykey.pvk -nocrypt -out mykey.pem
I then used openssl to combine the key pem file with the cer file I had exported from MSIE to make a pkcs12 file:
openssl pkcs12 -export -chain -name FRIENDLYNAME -inkey mykey.pem -in mycert.cer -out all.pkcs12
The final clue was to give up using keytool to import the pkcs12 into the java keystore, but just use the pkcs12 file directly:
jarsigner -storetype pkcs12 -keystore all.pkcs12 JARFILE.JAR "FRIENDLYNAME"
For completeness I note that a pfx export from MS Windows is close enough a PKCS12 file, as is an export from Mozilla Firefox; however I wasn’t able to import the openssl generated pkcs12 file into MS IE, unless I imported it and exported through Firefox first. It may be something else I had done wrong at the same time that stopped it working otherwise/
And I’m not sure where the certificate chain came from, openssl’s root CA’s no doubt.