In the user package, you include the certificate exported in p7b format. As it is included in the SEE-RS client package, it is the same one used for all your endpoints, and is an additional element against which all your files are encrypted.
The one you keep in a safe place is the same certificate, but with the private key included, and yes .pfx format is fine.
Essentially, the process should be to create a new cert with the file ecryption attribute, and any others you need. Export one copy with the private key and lock away in a safe place. Then export a second copy without the key in and include it in the SEE-RS client package.
Don't forget that the machine that you export these certificates from still holds the original cert in its cert store, which means this machine can decrypt any files ecrypted with the package you just created. You need to either lock this machine away somewhere and audit any physical access to it, or delete the cert from its store.
Just to clarify, these steps focus on the Recovery certificate of SEE-RS only, and do not apply to the cert used for encypting the communications between client and server.