Sounds good – It uses pkcs12 (though I think it may also be able to use .pem).
For a long term fix, it would be nice to have the user’s password be the passphrase that the cert is protected with by default (selectable via a checkbox). I don’t know if the passwords are stored in such a way that you can get them back, though, so that may not be possible (if you are keeping PWs in a one-way hashed form).
I had never thought about it until now, but from a security standpoint, having certs exported with passphrases makes sense. That way if they are distributed insecurely (like via email) and fall into the wrong hands, they aren’t compromised. Of course, if the sender also includes the passphrase in the email, it wouldn’t matter. 🙂 Unfortunately, I’ve seen things like that happen in my work environment.