OpenSSL

Remove password from .PFX file

# extract certificate
openssl pkcs12 -clcerts -nokeys -in $PFXIn -out certificate.crt -password pass:$PASSWORD -passin pass:$PASSWORD

# extract CA certificate
openssl pkcs12 -cacerts -nokeys -in $PFXIn -out ca-cert.ca -password pass:$PASSWORD -passin pass:$PASSWORD

# extract private key
openssl pkcs12 -nocerts -in $PFXIn -out private.key -password pass:$PASSWORD -passin pass:$PASSWORD -passout pass:$TEMPPASS

# remove pass-phrase
openssl rsa -in private.key -out new.key -passin pass:$TEMPPASS

# collect everything ...
cat new.key certificate.crt ca-cert.ca > pem.pem

# ... and create PKCS12 file
openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in pem.pem -out $PFXOut -passout pass:

# cleanup
rm -f ca-cert.ca certificate.crt $PFXIn private.key new.key pem.pem

Add extra intermediate

# extract certificate
openssl pkcs12 -clcerts -nokeys -in $PFXIn -out certificate.crt -password pass:$PASSWORD -passin pass:$PASSWORD

# extract CA certificate
openssl pkcs12 -cacerts -nokeys -in $PFXIn -out ca-cert.ca -password pass:$PASSWORD -passin pass:$PASSWORD

# extract private key
openssl pkcs12 -nocerts -in $PFXIn -out private.key -password pass:$PASSWORD -passin pass:$PASSWORD -passout pass:$PASSWORD

# create chain
cat extended.cer ca-cert.ca > chain.crt

# create PKCS12 file
openssl pkcs12 -export -out $PFXOut -inkey private.key -in certificate.crt -certfile chain.crt

# cleanup
rm -f extended.cer ca-cert.ca certificate.crt $PFXIn private.key