While most clients trust Nexusguard to look after private keys, some due to regulatory requirements or internal security policies—prefer not to turn over their private key to a third-party vendor.

To address their concern, Nexusguard can make use of separate key pairs to examine SSL-encrypted traffic—one each for the Visitor-to-Nexusguard and Nexusguard-to-Server sessions. The original pair, including the site owner’s private key, is only used in the Nexusguard-to-Server session, so the site owner retains control of the private key.