Much of the HSM load within a CA is OCSP signing, not subscriber cert issuance.