Thank you for the clarification.
Working in this whole token ecosystem is just a plain horrible experience. Very confusing, inconsistent and incomplete documentation, misleading error messages, tons of tools with lackluster maintenance and similar naming and functionality (e.g. pkcs11-tool vs p11tool). Then suddenly Java and GUIs (SCShell), too. Just terrible if you want to have a robust, reproducible procedure you can trust to work for decades to come, let’s say for an internal root CA.
It’s not just a rant, it is hopefully also seen as a call to action for Nitrokey and others to innovate on HSM management instead of (exclusively) building on the rotten base of historical “standards” (see PIN length). I know I’m not the only one who craves to interface with an HSM with something as easy as a run-of-the-mill REST API.