For mutual authentication, each end needs its own private key in its keystore, and a certificate from the other end in its truststore; this certificate could be from the other key, or a CA which has signed it. Tomcat makes the truststore the same as the keystore by default, which can be confusing. You also need to configure Tomcat to ask for the other end’s certificate with the
clientAuth setting.
Java 6 also doesn't support a PKCS #12 (PFX or P12) file for the truststore, only JKS or JCEKS.
The browser can get the remote certificate into its trusted certificates from a .CER file. Its private key can be imported from a PKCS #12 file, or it can generate one itself and get it signed online by a CA. You can run your own CA using
EJBCA, or one that comes with your OS.
Note that you don’t need to issue the certificates for the browsers yourself. If your users get their client certificates from Brand X CA, you can add Brand X CA’s root certificate to your server’s trust store to accept the client certificates.