Date: 30 April 2019
Hongkong Post Certification Authority Root CA Rollover Plan Update on 1 July 2019
Hongkong Post Certification Authority (HKPCA) has already commenced the Root CA Rollover Plan from 1 February 2019 (refer to https://www.eCert.gov.hk/news/press/85.html for details).
Issuance of e-Cert (Server) under Root CA3 from 1 July 2019
Starting from 1 July 2019, Sub CA "Hongkong Post e-Cert SSL CA 3 - 17" of Root CA3 will be used for the issuance of all types of e-Cert (Server) (including e-Cert (Server), e-Cert (Server) with "Wildcard" feature and e-Cert (Server) with "Multi-domain" feature).
e-Cert (Server) to be issued under Root CA3 will support the following features:
- Support Chinese domain name(s) with characters encoded in ISO/IEC 10646.
- Support the update of Online Certificate Status Protocol (OCSP) response at the same time when the certificate is revoked.
- Continue to be trusted by common web browsers (such as Microsoft Internet Explorer/Edge, Mozilla Firefox, Apple Safari and Google Chrome).
Subscribers with e-Cert (Server) certificates issued on or after 1 July 2019 is required to conduct the following so that their websites installed with e-Cert (Server) under Root CA3 will continue to be trusted by common web browsers:
- Install the Sub CA "Hongkong Post e-Cert SSL CA 3 - 17" issued by Root CA3 to their applications, such as web servers.
- Install the cross-certificate "Hongkong Post Root CA 3" issued by Root CA1 to their applications, such as web servers.
The Sub CA certificate and the cross-certificate and their instructions of installation can be found and available to download from HKPCA web site at URL https://www.eCert.gov.hk/product/download/root/index.html
Trial e-Cert (Server) with trial Sub CA "Hongkong Post e-Cert SSL CA 3 – 17", trial Root CA3 and trial cross-certificate are available for subscribers for testing from 1 April 2019. Please call HKPCA hotline on 2921 6633 or email to [email protected] to request for trial certificates for testing.
Change of Certificate Format from 1 July 2019 related to change of HKPCA domain name
As HKPCA website has been changed from www.hongkongpost.gov.hk to www.eCert.gov.hk since June 2018 as mentioned in the What's New announcement dated 31 May 2018 (refer to https://www.eCert.gov.hk/news/press/83.html for details), certain fields of format of e-Cert and Bank-Cert issued under new Root CA2 and new Root CA3 will be changed from 1 July 2019 for clear identification, as follows:
For e-Cert (Server) issued by Sub CA "Hongkong Post e-Cert SSL CA 3 - 17" under Root CA 3:
|Field Name||Field Content (Starting from 1 July 2019)|
|Authority Information Access||Certification Authority Issuer||URL=http://www1.eCert.gov.hk/root/ecert_ssl_ca_3-17.crt|
|Certificate policies||URL of CPS contains the web address "www.eCert.gov.hk"|
|CRL distribution points||URL of CRL Distribution Point contains the web address "crl1.eCert.gov.hk"|
For all e-Cert and Bank-Cert issued by Sub CA "Hongkong Post e-Cert CA 2 - 15" and Sub CA "Hongkong Post e-Cert CA 2 - 17" under Root CA 2:
|Field Name||Field Content
(before 1 July 2019)
(after 1 July 2019)
|Certificate policies||URL of CPS contains the web address "www.hongkongpost.gov.hk"||URL of CPS contains the web address "www.eCert.gov.hk"|
|CRL distribution points||URL of CRL Distribution Point contains the web address "crl1.hongkongpost.gov.hk"||URL of CRL Distribution Point contains the web address "crl1.eCert.gov.hk"|
Subscribers, Authorised Representatives and relying parties should be aware of the following areas related to the certificate format changes from 1 July 2019:
- For details of publication of Certificate Revocation List ("CRL"), Authority Revocation List ("ARL") and Online Certificate Status Protocol ("OCSP") response using new domain name "eCert.gov.hk", please refer to section B of the announcement on HKPCA Root CA Rollover Plan. [URL https://www.eCert.gov.hk/news/press/85.html].
- The change of certificate format related to change of HKPCA domain name is not applicable to existing e-Cert issued under Root CA1, and e-Cert and Bank-Cert issued under Sub CA "Hongkong Post e-Cert CA 2 - 15" and "Hongkong Post e-Cert CA 2 - 17" before 1 July 2019 ("Existing Certificates"). The CRL, ARL and OCSP responses with respect to Existing Certificates will continue to be updated and published using domain name www.hongkongpost.gov.hk until further notice.
- As the respective CRLs of Existing Certificates will be published in original web address, you are advised to stop any regular download of the above CRLs directly accessing the HKPCA IP address to prevent any possible false alarm of download failure of updated CRLs.
Subscribers, Authorised Representatives and relying parties should ensure the relying applications be able to support certificates, CRLs and OCSP responses published and issued by the existing and new Sub CAs with different certificate format using either domain name www.hongkongpost.gov.hk or www.eCert.gov.hk from 1 July 2019.
For enquiries, please call HKPCA e-Cert Customer Service at 2921 6633 or email to [email protected].