If you put an SSL appliance inline with the Firepower device you can get the traffic in decrypted form and inspect that.
If you're using an SSL policy on the Firepower device and specifying decrypt-and-resign as part of the policy then the decryption has to be done on the Firepower device itself - not on an HSM or other appliance.