最后，基于此示例，我仅提出以下解决方案。我将<Connector>实例添加到Tomcat配置中，并带有sslImplementationName指向自定义JSSEImplementation类名称的属性，并JSSEImplementation通过自定义JSSESocketFactory和X509KeyManager类进行扩展。

Tomcat配置如下所示：

<Connector
       protocol="org.apache.coyote.http11.Http11Protocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       clientAuth="true" sslProtocol="TLS" SSLEnabled="true"
       sslImplementationName="x.y.z.CustomJSSEImplementation"
       keyAlias="alias_of_key_in_HSM_and_cert_in_JKS"
/>

CustomJSSEImplementation 类是：

public class CustomJSSEImplementation extends JSSEImplementation {
   @Override
   public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) {
      return new CustomSslContextSocketFactory(endpoint);
   }

   @Override
   public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
      return new CustomSslContextSocketFactory(endpoint);
   }
}

CustomSslContextSocketFactory 类是：

public class CustomSslContextSocketFactory extends JSSESocketFactory {

    public static final AtomicReference<CustomSslContext> customSslContext =
        new AtomicReference<CustomSslContext>();

    public CustomSslContextSocketFactory(AbstractEndpoint endpoint) {
        super(endpoint);
    }

    @Override
    public KeyManager[] getKeyManagers() throws Exception {
        return (customSslContext.get() == null ? super.getKeyManagers() : customSslContext.get().getKeyManagers(this));
    }
}

CustomSslContext 界面是：

interface CustomSslContext {
    KeyManager[] getKeyManagers(JSSESocketFactory factory) throws Exception;
}

HsmKeyManagerImpl通过keyAlias属性在HSM中引用私钥的形式如下：

public class HsmKeyManagerImpl implements X509KeyManager {
    ...

    @Override
    public PrivateKey getPrivateKey(String alias) {
        // HSM Vendor specific API calls
    }
}

我没有显示代码如何获取与私有证书相对应的证书，但是使用的keyAlias属性定义的相同别名<Connector>用于从JKS 获取证书。