...
In order to detect and block man-in-the-middle attacks, clients adds an extra step beyond the normal X.509 certificate validation. After obtaining the server's certificate in the standard TLS handshake, the client checks the public key in the server's certificate chain against a hash of public key for the server name. Available optionally only for on-premise solution.
...
Mutual authentication with X.509 certificate
Clients can be authenticated by PrivateServer through X.509 certificates. The private key is securely stored on the device and can not be exported. PrivateServer can periodically acquire and manage the list of certificate revocation (CRL), safely and through secure protocol (HTTPS). Available optionally only for on-premise solution.
...