This demonstrates how to interface with a cryptographic hardware security module (a Local, or network HSM, A smartcard, or a TPM) which supports the PKCS11 protocol: https://en.wikipedia.org/wiki/PKCS_11 under Java: http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
This demo leverates the SoftHSM module provided by OpenDNS Sec https://www.opendnssec.org/softhsm/ The Mozilla Netscape Security Services (NSS) internal software module might work..
~Gordon