I'm not an expert on this, but here are some notes I have from prior work signing jars. To the experts, feel free to comment on anything you think I got wrong.
In my experience, you end up either having separate .pvk and .spc files, or a .pfx file. .pvk stores the private key, while the .spc stores the Software Publisher Certificate (SPC). An SPC file may be stored with the .cer extension as well. A .pfx file is a Personal Information Exchange file that contains both the certificate and the keys, and is sometimes referred to as PKCS #12.
I'm going to assume you have a .pfx file. If you have separate .pvk and .spc (or .cer) files, they can be combined into a .pfx file. You also need a Java keystore to work with.
When I did this, I used the Java Web Services Developer pack, because it came with tools to help (I can't quite recall what I needed from it; maybe the pkcs12import stuff).
If not there already, install the Primary Root CA into the keystore:
keytool -import -trustcacerts -alias <rootCAname> -file <whatever>.pem -keystore <keystoreName>
Now import your .pfx into the keystore:
pkcs12import.bat -file <whatever>.pfx -keystore <keystoreName> -alias <whateverAlias>
The first password is asks you for is the password for the .pfx file. The second is the password for the keystore. The third you can just leave blank. If this all completes successfully, the keystore should now be ready to sign jars.
To sign a jar:
jarsigner.exe -keystore <keystoreName> <whatever>.jar <whateverAlias>
If you need to un-sign a jar, you can do so by removing the .SF and .RSA files from the jar's META-INF directory, and removing all the Name: and SHA1-Digest lines from the MANIFEST.MF file.
I hope this helps. I know it's a royal pain. It's complicated, and there are few tutorials that don't just leave you confused. The people that design this stuff don't ever stop to think maybe they should leave instructions so maybe people can use it properly.