There's a reason you rarely see a short explanation of cryptography!
Many forms of encryption are based on the use of a single Shared Key (symmetric) to encrypt and decrypt the message--both the sender and the receiver must know the key.
However, in this case you are using Public Key cryptography, which splits the key into two parts that, as you said, "work hand in hand". To borrow from http://www.globus.org/toolkit/security/public-key-cryptography.html:
These keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. Also important is the fact that it is next to impossible (with our current knowledge of mathematics and available computing power) to obtain the second key from the first one and/or any messages encoded with the first key.
By making one of the keys available publicly (a public key) and keeping the other key private (a private key), a person can prove that he or she holds the private key simply by encrypting a message. If the message can be decrypted using the public key, the person must have used the private key to encrypt the message.
Note that it is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner.
Apparently, what you have here in your password-protected .P12 file is both your private and public keys. After you import it into your PC, you can extract a .CER file of your public key--and that's the one you give to the web service.
After that, here's essentially what happens when you send a message to the web service:
- Your computer needs to use your private key and the web service's public key to encrypt the message.
- Then, only the web service which has access to your public key and their own private key can decrypt it.
For them to send a message back to you, it works quite the same, but with everything in reverse.
Now that should be as clear as mud... but at least you've got a start.