Before jdk9, a user can use the -providerclass option in keytool and jarsigner to add a new security provider not loaded by JRE by default (i.e. not listed in java.security) or which needs a configuration. For example:
 
  keytool -providerclass com.example.MyProvider ...
 
  keytool -providerclass sun.security.pkcs11.SunPKCS11 -providerarg some.cfg ...
 
With modules in jdk9, security provider in a named module must be a service provider. It will be identified by a provider name (java.security.Provider::getName) rather than a class name.
 
This RFE suggests creating a new option called -addprovider, whose value is the name of a security provider defined in a module. For example:
 
  keytool -J-mp mods -addprovider MyProvider ...
 
  keytool -addprovider SunPKCS11 -providerarg some.cfg ...
 
For compatibility reason, the SunPKCS11 and OracleUcrypto providers can still be loaded with "-providerclass sun.security.pkcs11.SunPKCS11" and "-providerclass com.oracle.security.crypto.UcryptoProvider" even if they are now defined in modules. These are the only modules included in JDK that need a configuration, and therefore most widely used with the -providerclass option.
 
For legacy security providers located on classpath and loaded by reflection, -providerclass should still be used. For example:
 
  keytool -providerclass com.example.MyProvider ...
  (If MyProvider is a legacy provider loaded via reflection)