not that any of this is i386-specific, but:

>OpenBSD has a number of drivers for hardware crypto devices, but I
>would very much prefer to only deploy NetBSD servers if possible,
>and as I mentioned previously I only need some type of raw API to
>handle RSA private key encryption.

Huh?  See: man 4 crypto, man 4 ubsec, man 4 hifn in 2.0-BETA. We
implement the same API as OpenBSD, except (thanks to Sam Leffler, with
kibitzing from me) symmetric-key encryption is markedly more efficient
than the original OpenBSD implementation.  NetBSD doesn't have a
SafeNet driver yet; otherwise the APIs in OpenBSD, FreeBSD, and NetBSD
are identical.

OpenSSL in NetBSD 2.0-BETA will use hardware acceleration for modular
exponentiation (RSA and Diffie-Hellman) out of the box, provided the
OpenSSL app can open /dev/crypto.

If you're after recommendations for specific chips, the bcm5821 is
probably the fastest at modular exponentiation.  Broadcom claims 4,000
1024-bit RSA operations/sec using their SDK.  One source for builtup
boards is:       http://www.interfacemasters.com/

For comparison, hifn's marketing claims the 7955/7956 is good for
70-80 1024-bit RSA ops/sec. The Soekris 7955 board (http://www.soekris.com)
are roughly one-tenth the cost of the Broadcom boards.