The current implementation of the EJBCA CLI command "ca importca" is still using the old (EJBCA 4/5) way of specifying the keystore information.
It would be nice if the command were actually aware of crypto tokens in EJBCA, and that you would be able to pass in information about:
1. What crypto token to use.
2. What should be the alias of the signing key.
3. What should be the alias of the default key.
4. What should be the alias of the test key.
This way, during import of a CA, it would be possible to actually create the crypto token by hand, create the necessary default/test keys, and then simply point the ca importca command to those objects.
An additional option could be to have an option for telling the CLI to create default/test key if they are not available in the crypto token (bonus points for being able to specify what they should be perhaps).