Engineers loathe the use of keytool, a java utility to manage certificate and keys.
I first found that it is relatively easy to convert keystores from the SUNW format used by keytool to PKCS#12 (.pfx) format used by IIS, and back.
This means one can easily follow normal procedures to obtain a new certificate and export it to .pfx format.
After tinkering with it a bit, I read the tomcat doc. It seems that Tomcat (at least for v6) can support PKCS12 format directly.