SSL Connections need Validation or Identification credentials based on which side of the conversation (client or server) the datapower box is.

Nonrepudiation: How do you knowwho the party on the other end is?

Signature: Encrypt a message with a private key, decrypt with the public key. This allows the receiver to verify the sender. Only the sender could use the private key to encrypt.

Message Integrity: Create a hash (message digest) from the message and then encrypt it with the private key.

Digital signatures provide the ability to authenticate who the message was sent from.

Signatures are encrypted with private keys. Messages for the recipient are generated from the public key.

Digital Certificate is a special public key. Contains identity information about the owner. Certificate is signed by whoever created it (self-signed or authority). Certificate does not contain the private key.

When generating a new private key, “Export Private Key” is the only way to get a private key off the box. The key will placed in the temporary filesystem which can be downloaded. There is also an optional piece of hardware called the HSM (Hardware security manager) that will allow you to get them off.

Export configuration will not includes keys.

Certificates exist in a trust chain. Certificate Authority (CA). Root certificates: Certificates we inherently trust.

Can poll a CRL (Certificate revokating list) to determine if certificate is still good.

DataPower Certificate monitors check when certificates expire.