I can export a Java truststore (JKS file with only certificates, no private key), using the keytool command to a p12 file:
keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -deststoretype PKCS12
However, I can't seem to figure out how I could create the same file using the 'openssl pkcs12' command. It allows you to pass in certificates, but every option I've tried requires the user to pass in the private key.
openssl pkcs12 -export -nokeys -in certificate.cer -out pkcs12.pfx