Since jdk1.5 has a sun.security.pkcs11.SunPKCS11 implementing java.security.Provider, it should be possible to no longer store private keys on the server computer's harddisk, but on a USB token or alike (being willing to accept that SSL may become very slow...) Others appear to have asked for this http://marc.theaimsgroup.com/?l=tomcat-user&m=111471470228516&w=2 more also in http://forum.java.sun.com/thread.jspa?threadID=256018&messageID=3838346
Ralf, I'm not sure how to document this beyond simply pointing to the (good) URLs you provide...
some aspect of this is dealt with in bug 40677
The Sun URL no longer works - it redirects to the home page for the Oracle forums. Since bug 40677 has been fixed, I don't see much more that can be done here.