Multiple small things in HsmResponseThread:
1. Helper CertTools.convertToX509CertificateHolder(chain) can be used to avoid code duplication.
2. Conversion should be done in constructor to as quickly as possible return the thread to the pool.
3. Each HsmResponseThread allocates 20480 bytes via BC's BufferingContentSigner even though a response signed with 4K RSA key and one level chain is less than 2048 bytes. Lower this to at least 4096 bytes.
(3: In high performance environments, the full OCSP response should in general be smaller than 1492 bytes to fit in a single Ethernet frame. If the system isn't optimized for this, then hitting the buffer limit might not be so important.)