I would suggest to setup your scenario as described in our blog.
That way you maintain the 4-eyes principle over the whole life-time of the key. I also recommend to use the build-in key generator rather than generating keys on an external systems.
It is possible to import RSA keys into the device using the Smart Card Shell and a PKCS#12 container. You could also prepare a script that imports the key directly (Using the SmartCardHSM.js and DKEK.js scripting classes).
You could also combine both mechanisms, i.e. prepare the encrypted container on the offline system.
To import a key you will need a DKEK in any case. There is no plain import possible, all key material must be encrypted for security reasons. Even the import from PKCS#12 requires a DKEK and it basically transforms the PKCS#12 key container into the format understood by the SmartCard-HSM.