should help you out The Java keytool.exe utility is used to maintain digital certificates and their associated keys in a key-store file. It can also be used to generate key-pairs, signing requests and for other security-data oriented functions.
Is there a command line tool to generate symmetric keys in a Java keystore?
wish helps you Keytool automatically generates a self-signed certificate when it generates a key entry, whereas PKCS#11 allows to create a key pair without a corresponding certificate. The Java keystore API simply ignores key pair entries without a certificate. That's why keytool -list ... does not show the entry when it was created with pkcs11-tool. If you take a look at the Oracle PKCS#11 guide and especially the restrictions, it says:
What algorithm does java.security.KeyStore use to encrypt the privateKey in KeyStore.setKeyEntry() and KeyStore.store()?