$ openssl pkcs12 -in pkcs12file.p12 -out pemfile.pem
(by default, pkcs12 will ask for an import password, to decrypt the p12 file (just press Enter if you don’t have a password), and finally a passphrase to encrypt your key)
pemfile.pem now contains your CA certificate, your client certificate, and your (encrypted) key.