RSASignSessionBean line 726 (in 3.1):
Sends the CAs private sign key to ScepRequestMessage for decrypting the request sent by the client. ScepRequestMessage on line 294 does:
decBytes = recipient.getContent(privateKey, "BC");
i.e. using the BC provider to decrypt. If the CAs key is in hardware we must use the hardware provider.
We must also document that the hardware provider must support the decryption algorithm done in BC for this (using the private key) for SCEP to work with a HSM based CA.