To simplify the key export and import process of tenant keys, Utimaco has created an HSM Bring Your Own Key tool. Please, reach out to Utimaco so this tool can be provided to you. (You might need an authenticated support portal account to download the tool) The BYOK tool supports all key types (PKCS#11, CNG, JCE, CXI). The storage of keys is still restricted to the internal storage on the Utimaco CryptoServer HSM. The BYOK tool does not support key creation, only migration. That is why it is important to have the attributes of keys you would like to migrate set to be extractable.
For more information regarding the commands and command parameters, please check the Salesforce documentation.