If you use the DHE or ECDHE key
exchange algorithms to enable
Perfect
Forward Secrecy (PFS) Support for SSL Decryption, you cannot
use an HSM to store the private keys for SSL Inbound Inspection.
You also cannot use an HSM to store ECDSA keys used for Forward
Proxy or Inbound Inspection decryption.