Date: 31 Oct 2014
Transition Plan for Issuance of e-Cert (Server) using SHA-256 Cryptographic Hash Algorithm
Since Microsoft has announced a new policy for Certification Authorities (CAs) to deprecate the use of the SHA-1 cryptographic hash algorithm in SSL certificates in favor of SHA-2, major CAs have started to announce plans to stop the issuing of SHA-1 based server certificates. To be in line with industry practice, Hongkong Post Certification Authority (HKPCA) will issue SHA-256 e-Cert (Server) in phases according to the following transition plan:
Date | Event |
With immediate effect | Trial SHA-256 e-Cert (Server) is available for testing upon request. |
From 1 January 2015 to 31 December 2015 |
SHA-256 e-Cert (Server) will be issued by default. SHA-1 e-Cert (Server) with 1-year validity period will only be issued upon written request. |
Starting from 1 January 2016 |
Only SHA-256 e-Cert (Server) will be issued. SHA-1 e-Cert (Server) will STOP to be issued. |
As only SHA-256 e-Cert (Server) will be issued starting from 1 January 2016, e-Cert (Server) subscribers should prepare for the use of SHA-256 e-Cert (Server) and evaluate the implications, if any, to their servers and related client applications. To request for trial certificates for testing, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.
Support Arrangement on the Replacement Service for Existing SHA-1 e-Cert (Server) Certificates
Hongkong Post Certification Authority (HKPCA) will offer a replacement service for SHA-256 e-Cert (Server) certificates to existing SHA-1 e-Cert (Server) subscribers.
The support arrangement on the replacement service is summarized as follows:
Period | 1 January 2015 until 31 December 2017 |
Customers | Existing subscribers who have SHA-1 e-Cert (Server) with validity period ended on or before 31 December 2017. |
Support Arrangement | Provision of replacement SHA-256 e-Cert (Server), with free subscription fee within the validity period of original SHA-1 e-Cert (Server)(Notes). |
How-to Apply | Call our hotline service 2921 6633 or through email enquiry@hongkongpost.gov.hk to check eligibility of offer and arrange replacement. |
Notes:
1. Subscription fee of the replacement SHA-256 e-Cert (Server) certificate during the validity period will be charged on a pro-rata monthly basis for the period beyond the expiry date of the original SHA-1 e-Cert (Server) certificate. An invoice will be sent to the subscriber directly for the successful application. If no payment is received, we reserve the rights, to suspend the replacement SHA-256 e-Cert (Server) after the expiry date of the original e-Cert (Server) certificate.
2. The type of the replacement SHA-256 e-Cert (Server) certificate will be consistent with the original e-Cert (Server) certificate.
3. The validity period of the replacement SHA-256 e-Cert (Server) certificate must not be shorter than the remaining validity period of the original e-Cert (Server) certificate.
Example:
Assuming the validity of the current SHA-1 e-Cert (Server) certificate (without "Wildcard" feature and "Multi-domain" feature) is on 30 June 2015 and the replacement 2-year SHA-256 e-Cert (Server) certificate (without "Wildcard" feature and "Multi-domain" feature) has a validity period from 1 January 2015 to 31 December 2016, the number of remaining months of validity of the replacement SHA-256 e-Cert (Server) certificate would be 18 months (i.e. July 2015 to December 2016). The subscriber will be charged on a pro-rata monthly basis, at HK$208.33 per remaining month, for a total of HK$3,750.
For enquiry, please call Hongkong Post Certification Authority hotline at 2921 6633 or email to enquiry@hongkongpost.gov.hk.
Frequently Asked Questions
1. Why is it necessary to change the use of SHA-256 cryptographic hash algorithm for e-Cert (Server)?
The change is in line with industry practice towards the use of SHA-256 cryptographic hash algorithm to provide higher level of security for electronic transactions.
2. What will be the implications to the existing subscribers of SHA-1 e-Cert (Server) and relying parties?
Most of Microsoft latest products can support SHA-256, but relying application owners are recommended to verify whether code changes and software version upgrade are required. Starting from 1 January 2015, HKPCA will start to issue SHA-256 e-Cert (Server) by default. HKPCA will issue SHA-1 e-Cert (Server) with 1-year validity period until 31 December 2015 upon written request only. Server administrators and relying parties should assess their systems and software and make them ready for e-Cert (Server) with both cryptographic hash algorithms.
3. Will there be any change in e-Cert (Server) subscription and revocation procedures?
The existing e-Cert (Server) subscription and revocation procedures will remain unchanged. During the period from 1 Jan 2015 to 31 Dec 2015, SHA-256 e-Cert (Server) will be issued by default. SHA-1 e-Cert (Server) with 1-year validity period will be issued until 31 December 2015 upon written request only. Starting from 1 January 2016, e-Cert (Server) will only be issued with SHA-256 cryptographic hash algorithm for new or renewal applications.
4. We are using SHA-1 e-Cert (Server) which has not expired yet. Do I need to pay more for the new SHA-256 e-Cert (Server)?
A support arrangement on the replacement service for existing SHA-1 e-Cert (Server) is available to subscribers. Subscription fee of the replacement SHA-256 e-Cert (Server) certificate during the validity period will be charged on a pro-rata monthly basis for the period beyond the expiry date of the original SHA-1 e-Cert (Server) certificate. An invoice will be sent to the subscriber directly for the successful application. If no payment is received, we reserve the rights, to suspend the replacement SHA-256 e-Cert (Server) after the expiry date of the original e-Cert (Server) certificate.
5. We want to apply for the support arrangement for replacement of existing SHA-1 e-Cert (Server). What is application procedure?
Existing subscribers who have SHA-1 e-Cert (Server) can call our hotline service 2921 6633 or through email enquiry@hongkongpost.gov.hk to apply.
6. Our servers are using SHA-1 e-Cert (Server). May I request for trial certificates to perform testing on our servers?
Trial SHA-256 e-Cert (Server) is available for testing upon request. To request for trial certificates for testing, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.