To answer the speculation, with SignTool yes you can simply use the file that Firefox exports (the backup).

I'm using SetupBuilder 7.5 Professional, and was able to simply install my certificate in Firefox, back it up to the .p12 file, rename that to .pfx and use that with SetupBuilder and SignTool. All done, relatively short and simple.

Also worth mentioning that you can code sign without manifesting, turns out I have some work to do before adding the UAC manifest as it invokes all the Windows Vista/7 behaviors that my program isn't ready for (even when setting compatibility to none). On the other hand, code signing alone eliminates the warnings from my antivirus software so that should take care of some occasional client issues.