Hongkong Post e-Cert
Home Contact Us Sitemap 繁體中文 简体中文 Text Mode
A A A


Certizen Limited

Hongkong Post

Level Double-A conformance, W3C WAI Web Content Accessibility Guidelines 2.0

 
 

Frequently Asked Questions on e-Cert

Contents

  1. HONGKONG POST CA
  2. PUBLIC KEY INFRASTRUCTURE (PKI)
  3. HONGKONG POST E-CERT SERVICES
  4. SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)
  5. CENTRAL KEY GENERATION SERVICE FOR E-CERT
  6. TECHNICAL ISSUES
  7. REVOCATION OF CERTIFICATES
  8. DELETION AND RECOVERY ISSUES
  9. BACK-UP AND TRANSFER OF CERTIFICATE
  10. RENEWAL OF E-CERT (PERSONAL)
  11. E-CERT FILE USB
  12. E-CERT TOKEN
  13. E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS
  14. E-CERT (ORGANISATIONAL) WITH AEOI FUNCTIONS
  15. E-CERT (SERVER)
  16. BANK-CERT (PERSONAL / CORPORATE / BANK)
  17. HONGKONG POST ROOT CA1 ROLLOVER

A. HONGKONG POST CA

  1. WHY SHOULD I CHOOSE HONGKONG POST CA AS MY CERTIFICATION AUTHORITY?
  2. ARE THERE LAWS IN HONG KONG REGULATING DIGITAL SIGNATURES?
  3. WHAT IS THE MEANING OF "RELIANCE LIMIT" FOR THE E-CERT CERTIFICATE?
  4. RETIREMENT OF SUPERSEDED CERTIFICATION AUTHORITY SYSTEM
  5. HONGKONG POST CERTIFICATION AUTHORITY SUB CA ROLLOVER ON 26 FEBRUARY 2010
  6. WHAT WILL BE THE IMPACTS TO E-CERT SUBSCRIBERS AS A RESULT OF THE SUB CA ROLLOVER ON 26 FEBRUARY 2010?
  7. HONGKONG POST CERTIFICATION AUTHORITY SETUP NEW SUB CA "HONGKONG POST E-CERT CA 1 - 14" ON 1 JANUARY 2015
  8. WHAT WILL BE THE IMPACTS TO E-CERT (SERVER) SUBSCRIBERS AS A RESULT OF THE SETUP OF NEW SUB CA "HONGKONG POST E-CERT CA 1 - 14" ON 1 JANUARY 2015 ?
  9. EXPIRY OF SUB CA "HONGKONG POST E-CERT CA 1"
  10. HONGKONG POST CERTIFICATION AUTHORITY SETUP NEW SUB CA "HONGKONG POST E-CERT CA 1 - 15" ON 1 SEPTEMBER 2015
  11. WHAT WILL BE THE IMPACTS TO E-CERT (SERVER) SUBSCRIBERS AS A RESULT OF THE SETUP OF NEW SUB CA "HONGKONG POST E-CERT CA 1 - 15" ON 1 SEPTEMBER 2015
  12. EXPIRY OF ROOT CA "HONGKONG POST ROOT CA 1"

B. PUBLIC KEY INFRASTRUCTURE (PKI)

  1. WHAT IS ENCRYPTION ?
  2. WHAT IS PUBLIC KEY CRYPTOGRAPHY AND HOW DOES IT WORK?
  3. WHAT IS A CERTIFICATION AUTHORITY (CA)?
  4. WHAT IS A DIGITAL CERTIFICATE?
  5. WHAT IS THE HONGKONG POST E-CERT CERTIFICATE?
  6. WHAT IS A DIGITAL SIGNATURE AND HOW DOES IT WORK?
  7. WHAT IS HASH FUNCTION/VALUE?
  8. WHAT IS S/MIME ?
  9. WHY IS/ARE THERE AN S/MIME .P7M AND/OR S/MIME .P7S ATTACHMENT TO MY E-MAIL?
  10. WHAT IS A SECURE SOCKET LAYER (SSL)?
  11. HOW DO I SEND A SIGNED AND ENCRYPTED E-MAIL ?
  12. HOW CAN I OBTAIN SOMEONE ELSE'S DIGITAL CERTIFICATE (WITH PUBLIC KEY EMBEDDED) IN ORDER TO SEND HIM/HER AN ENCRYPTED E-MAIL?
  13. HOW DO I READ THE ENCRYPTED E-MAILS I RECEIVE?
  14. HOW DO I VERIFY THE DIGITAL SIGNATURES ON SIGNED MESSAGES I RECEIVE?
  15. HOW DO I KNOW IF THE E-MAIL I HAVE RECEIVED IS SIGNED OR ENCRYPTED?
  16. CAN I SEND SECURE E-MAIL TO SOMEONE WHO DOES NOT HAVE A DIGITAL CERTIFICATE?

C. HONGKONG POST E-CERT SERVICES

  1. DOES HONGKONG POST E-CERT SUPPORT CHINESE CHARACTERS?
  2. DOES HONGKONG POST E-CERT SUPPORT ELLIPTIC CURVE CRYPTOSYSTEM (ECC)?
  3. DOES HONGKONG POST E-CERT SUPPORT OBJECT SIGNING AND AUTHENTICODE?
  4. WHAT IS THE KEY LENGTH OF HONGKONG POST E-CERT ?
  5. CAN HONGKONG POST E-CERT CERTIFICATES BE USED GLOBALLY?
  6. WHAT IS THE SYSTEM REQUIREMENT TO ACCESS THE HKPCA WEBSITE?
  7. CAN I USE MY E-CERT WITH HOTMAIL OR OTHER SIMILAR E-MAIL SERVICES ?
  8. WHAT HAPPENS AFTER MY HONGKONG POST E-CERT CERTIFICATE EXPIRES?
  9. HOW MANY HONGKONG POST E-CERT CERTIFICATES CAN I APPLY FOR?
  10. HOW MUCH DOES A HONGKONG POST E-CERT CERTIFICATE COST?
  11. FOR HOW LONG ARE HONGKONG POST E-CERT CERTIFICATES VALID?
  12. CAN I CHANGE THE INFORMATION ON A CERTIFICATE?
  13. WHICH HASH ALGORITHM ARE SUPPORTED BY HONGKONG POST CA?
  14. DOES HONGKONG POST E-CERT (SERVER) SUPPORT ONLINE CERTIFICATE STATUS PROTOCOL (OCSP)?
  15. WHY DOES MY BROWSER FIRST HAVE TO ACCEPT THE HONGKONG POST ROOT CA CERTIFICATE?
  16. WHERE DO I DOWNLOAD THE PUBLIC KEY OF THE HONGKONG POST ROOT CA CERTIFICATE, AND HOW DO I INSTALL IT IN THE BROWSER?
  17. HOW DO I RETRIEVE A LOST OR ACCIDENTALLY DELETED E-CERT?
  18. WHY IS IT IMPORTANT TO MAKE A BACK-UP COPY OF MY HONGKONG POST E-CERT CERTIFICATE?
  19. CAN I USE ONE HONGKONG POST E-CERT CERTIFICATE FOR MULTIPLE E-MAIL ADDRESSES?
  20. WHAT ARE THE AUTHENTICATION PROCEDURES FOR HONGKONG POST E-CERT CERTIFICATES?
  21. WHY IS HONGKONG POST ISSUING DIGITAL CERTIFICATES TO MINORS?
  22. CAN I SEARCH HONGKONG POST E-CERT (ENCIPHERMENT) CERTIFICATE FROM THE HONGKONG POST DIRECTORY SERVER ?
  23. WHERE I CAN FIND THE TERMS AND CONDITIONS GOVERNING THE USE OF HONGKONG POST E-CERT CERTIFICATES?
  24. HOW TO SEARCH IN NETSCAPE THE CERTIFICATE OF OTHER PEOPLE WHO HAS TWO OR MORE E-CERT WITH THE SAME EMAIL ADDRESS?
  25. WHY MUST AN APPLICANT FOR E-CERT COMPLETE THE IDENTITY VERIFICATION PROCESS IN PERSON AT A POST OFFICE?
  26. CAN AN APPLICANT VISIT A POST OFFICE DURING LUNCH BREAK, OVER WEEKEND OR ON SUNDAY TO COMPLETE THE APPLICATION PROCESS?
  27. IF AN APPLICANT HAS QUESTIONS OF INSTALLING AN E-CERT, HOW CAN HE/SHE SEEK HELP?
  28. IS IT A PROPER ARRANGEMENT FOR HONGKONG POST TO DELIVER THE E-CERT STORAGE MEDIUM TO AN APPLICANT BY POST?
  29. CAN AN E-CERT BE USED ON COMPUTERS RUNNING LINUX OR MAC OPERATING SYSTEMS?
  30. WHAT ARE THE DIFFERENCES IN CERTIFICATE FEATURES BETWEEN E-CERT (ORGANISATIONAL ROLE) AND E-CERT (ORGANISATIONAL)?
  31. IS E-CERT (ORGANISATIONAL ROLE) OR E-CERT (ORGANISATIONAL) SUITABLE FOR USE IN MY ORGANISATION?
  32. WHAT IS THE DIFFERENCE IN APPLICATION PROCEDURE BETWEEN E-CERT (ORGANISATIONAL ROLE) AND E-CERT (ORGANISATIONAL)?
  33. WHY PRIOR ARRANGEMENT IS REQUIRED FOR THE OFFER OF E-CERT (ORGANISATIONAL ROLE) CERTIFICATES FROM HONGKONG POST CERTIFICATION AUTHORITY?
  34. WHAT IS THE MAXIMUM FIELD LENGTH FOR "SUBSCRIBER ORGANISATION NAME" AND "SUBSCRIBER ORGANISATION BRANCH/DEPARTMENT" FOR E-CERT?
  35. WE ARE A PARTICIPANT OF IAM SMART PILOT SANDBOX PROGRAMME ORGANIZED BY HONG KONG CYBERPORT ("PROGRAMME"). MAY I REQUEST FOR TRIAL E-CERT (ENCIPHERMENT) TO CONDUCT TESTING UNDER THE PROGRAMME?

D. SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)

  1. WHAT IS A CERTIFICATE SIGNING REQUEST (CSR)?
  2. HOW DO I GENERATE A CERTIFICATE SIGNING REQUEST (CSR)?
  3. WHAT SHOULD I PASTE INTO THE CERTIFICATE SIGNING REQUEST (CSR) TEXT BOX DURING THE E-CERT (SERVER) CSR SUBMISSION PROCESS?
  4. WHAT SHOULD I DO IF I DID NOT DOWNLOAD MY E-CERT (SERVER) IN THE LAST STEP OF THE CERTIFICATE SIGNING REQUEST (CSR) SUBMISSION PROCESS?
  5. WHAT SHOULD I DO TO GENERATE A CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER) WITH A CHINESE DOMAIN NAME?

E. CENTRAL KEY GENERATION SERVICE FOR E-CERT

  1. WHAT IS CENTRAL KEY GENERATION SERVICE AND HOW DOES IT WORK?
  2. IS CENTRAL KEY GENERATION SERVICE APPLICABLE TO ALL TYPES OF E-CERT?
  3. ARE THERE ANY PROTECTIVE MEASURES TO SAFEGUARD THE PRIVATE KEY OF THE E-CERT CREATED UNDER THE CENTRAL KEY GENERATION SERVICE?
  4. IS THERE ANY TOOL OR PROGRAM THAT CAN BE USED TO CHANGE THE PASSWORD OF THE E-CERT FILE?
  5. IS THERE ANY RESTRICTION IN USING THE "CHANGE PASSWORD PROGRAM" SOFTWARE?

F. TECHNICAL ISSUES

  1. HOW DO I KNOW THAT MY HONGKONG POST E-CERT CERTIFICATE IS PROPERLY INSTALLED?
  2. WHAT SHOULD I DO IF MY PIN DOES NOT APPEAR TO WORK?
  3. WHY I AM GETTING AN 'EXPIRED CERTIFICATE' MESSAGE SHORTLY AFTER DOWNLOADING IT?
  4. I HAVE DELETED MY NETSCAPE NAVIGATOR AND INSTALLED THE LATEST VERSION. HOW DO I REINSTALL MY DIGITAL CERTIFICATE?
  5. HOW DO I KNOW I AM CONNECTED TO A SECURE SERVER ?
  6. HOW DO I GET 128-BIT / FULL-STRENGTH SESSIONS?
  7. WHAT DOMAIN NAME DO I USE ON MY SERVER CERTIFICATE REQUEST?
  8. WHICH FIELD INSIDE THE E-CERT (ENCIPHERMENT) CERTIFICATE CONTROLS THE USAGE PURPOSE OF THE KEY PAIR?
  9. THE KEY PAIR OF THE E-CERT (ENCIPHERMENT) WILL BE USED FOR ENCRYPTION AND DECRYPTION OF ELECTRONIC RECORDS. HOW DOES THIS KEY PAIR WORK?
  10. USING E-CERT IN THE CRYPTO TOOLS SOFTWARE

G. REVOCATION OF CERTIFICATES

  1. HOW DO I REVOKE MY HONGKONG POST E-CERT CERTIFICATE?
  2. WHY DO I NEED TO REVOKE MY CERTIFICATE BEFORE IT EXPIRES?
  3. HOW CAN I VERIFY THE STATUS OF MY REVOKED CERTIFICATE?

H. DELETION AND RECOVERY ISSUES

  1. IS THERE ANY WAY TO RECOVER MY HONGKONG POST E-CERT CERTIFICATE IF MY HARD DRIVE HAS CRASHED?
  2. WHAT SHOULD I DO IF MY COMPUTER HAS BEEN STOLEN TOGETHER WITH MY CERTIFICATE?
  3. SHOULD I DELETE MY EXPIRED OR REVOKED E-CERT?

I. BACK-UP AND TRANSFER OF CERTIFICATE

  1. HOW DO I SAVE A BACK-UP COPY OF MY DIGITAL CERTIFICATE?
  2. HOW DO I TRANSFER MY DIGITAL CERTIFICATE TO A NEW COMPUTER?

J. RENEWAL OF E-CERT (PERSONAL)

  1. WHY SUBSCRIBERS OF E-CERT HAVE NOT RECEIVED THE RENEWAL NOTICE UPON THE EXPIRY OF E-CERT?
  2. WHAT IS THE DIFFERENCE BETWEEN "EXTENSION OF SUBSCRIPTION PERIOD" AND "RENEWAL"?
  3. HOW CAN SUBSCRIBERS RENEW THEIR E-CERT?
  4. WHAT IS THE VALIDITY PERIOD OF THE RENEWED E-CERT (PERSONAL)? WHAT IS THE RENEWAL FEE?
  5. CAN I PAY HK$150 FOR 3-YR SUBSCRIPTION FEES IN ONE GO?
  6. WHEN SUBMITTING A RENEWAL APPLICATION, WILL THE SUBSCRIBERS OF E-CERT (PERSONAL) BE ISSUED A NEW PIN ENVELOPE?
  7. UPON RECEIPT OF THE NEW PIN ENVELOPE AND E-CERT STORAGE MEDIUM FOR THE RENEWED E-CERT, CAN THE SUBSCRIBER THROW AWAY THE OLD PIN ENVELOPE AND E-CERT STORAGE MEDIUM?
  8. WHAT ARE THE CHANNELS FOR ENQUIRY?

K. E-CERT FILE USB

  1. WHAT IS E-CERT FILE USB?
  2. WHAT IS THE MAJOR ADVANTAGE OF E-CERT FILE USB?
  3. DO I NEED TO PAY FOR THE E-CERT FILE USB?
  4. WHEN WAS THE FLOPPY DISKETTE BE CEASAED AS E-CERT STORAGE MEDIUM IN THE NEAR FUTURE?
  5. DUE TO THE SECURITY POLICY, THE USB PORTS OF COMPUTERS IN MY OFFICE ARE DISABLED. HOW CAN I READ MY E-CERT FROM E-CERT FILE USB?
  6. I HAVE NOT CHOSEN E-CERT FILE USB WHEN I APPLY FOR E-CERT. CAN I CHOOSE TO BUY IT AFTER RECEIVING MY E-CERT?

L. E-CERT TOKEN

  1. WHAT IS E-CERT TOKEN?
  2. WHICH TYPES OF HONGKONG POST E-CERT CERTIFICATES USE E-CERT TOKEN AS STORAGE MEDIUM?
  3. WHAT IS THE DIFFERENCE BETWEEN E-CERT TOKEN AND E-CERT FILE USB?
  4. WHAT IS THE DIFFERENCE BETWEEN E-CERT TOKEN (SAFENET) AND E-CERT TOKEN (FEITIAN)? HOW SHOULD I CHOOSE?
  5. HOW CAN I READ MY E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS FROM E-CERT TOKEN?
  6. DUE TO THE SECURITY POLICY, THE USB PORTS OF COMPUTERS IN MY OFFICE ARE DISABLED. HOW CAN I READ MY E-CERT FROM E-CERT TOKEN?
  7. CAN I CHANGE THE PIN OF THE E-CERT TOKEN?
  8. MY E-CERT TOKEN IS DAMAGED AND MY E-CERT CANNOT BE ACCESSED. WHAT SHOULD I DO?
  9. WHAT SHOULD I DO IF I LOST MY E-CERT TOKEN?

M. E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS

  1. WHAT ARE THE ADVANTAGES OF E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS?
  2. HOW TO APPLY FOR E-CERT (PERSONAL/ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS, IF I HAVE SUBSCRIBED E-CERT (PERSONAL) / E-CERT (ORGANISATIONAL)?
  3. WHICH STORAGE MEDIA CAN BE CHOSEN FOR THE E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS?
  4. CAN I CHOOSE E-CERT FILE USB TO STORE MY E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS?
  5. WHAT SHOULD I DO IF I FORGOT THE PASSWORD OF MY E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS?
  6. CAN I CHOOSE ANOTHER TYPE OF E-CERT TOKEN TO STORE MY E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS / E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS WHEN RENEWAL?
  7. CAN I STORE AN E-CERT (PERSONAL) WITH "MUTUAL RECOGNITION" STATUS/E-CERT (ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS IN BOTH THE E-CERT TOKEN (SAFENET) AND THE E-CERT TOKEN (FEITIAN)?

N. E-CERT (ORGANISATIONAL) WITH AEOI FUNCTIONS

  1. IF I HAVE SUBSCRIBED E-CERT (ORGANISATIONAL), HOW TO APPLY FOR AN E-CERT (ORGANISATIONAL) WITH AEOI FUNCTIONS FOR HANDLING MATTERS RELATING TO AUTOMATIC EXCHANGE OF FINANCIAL ACCOUNT INFORMATION ("AEOI")?
  2. I HAVE A PREVAILING VALID E-CERT (ORGANISATIONAL), BUT NOT WITH AEOI FUNCTIONS. CAN IT BE USED TO ACCESS MY AEOI ACCOUNT UNDER THE AEOI PORTAL / CBC REPORTING PORTAL OF THE INLAND REVENUE DEPARTMENT ("IRD")?
  3. CAN WE APPLY FOR E-CERT (ORGANISATIONAL) WITH AEOI FUNCTIONS IF MY ORGANISATION DOES NOT HAVE BUSINESS REGISTRATION CERTIFICATE?

O. E-CERT (SERVER)

  1. WHEN APPLYING FOR E-CERT (SERVER), WHICH OPTION SHOULD I CHOOSE?
  2. WHAT ARE THE MINIMUM REQUIREMENTS TO INSTALL SHA-256 E-CERT (SERVER)?
  3. WHEN APPLYING FOR AN E-CERT (SERVER), WHAT ARE THE RESTRICTIONS IN THE SERVER NAMES?
  4. WHAT ARE THE ADVANTAGES OF E-CERT (SERVER) WITH "WILDCARD" FEATURE AND "MULTI-DOMAIN" FEATURE?
  5. HOW TO SUBMIT CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE AND "MULTI-DOMAIN" FEATURE? IS THERE ANY DIFFERENCE IN THE PROCEDURES COMPARED WITH THE PROCEDURES IN SUBMISSION OF CSR FOR AN E-CERT (SERVER)?
  6. E-CERT (SERVER) WITH "WILDCARD" FEATURE OR "MULTI-DOMAIN" FEATURE MAY BE USED IN MULTIPLE SERVERS. THEN, HOW MANY CERTIFICATES WILL BE ISSUED TO THE SUBSCRIBER?
  7. CAN I APPLY FOR AN E-CERT (SERVER) WITH BOTH "MULTI-DOMAIN" FEATURE & "WILDCARD" FEATURE IN ONE CERTIFICATE?
  8. IN "SEARCH AND DOWNLOAD E-CERT (SERVER)" FUNCTION, WHICH SERVER NAME SHOULD BE USED TO SEARCH AND DOWNLOAD THE E-CERT (SERVER) WITH "WILDCARD" FEATURE OR "MULTI-DOMAIN" FEATURE?
  9. CAN I USE IP ADDRESS INSTEAD OF SERVER NAME?
  10. HOW TO COUNT "ADDITIONAL SERVERS" FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE?
  11. AS THE NUMBER OF ADDITIONAL SERVERS IS SPECIFIED IN THE APPLICATION FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE, WHAT SHOULD BE DONE IF THE NUMBER OF ADDITIONAL SERVERS CHANGES AFTER THE CERTIFICATE IS ISSUED ?
  12. CAN I APPLY FOR AN E-CERT (SERVER) WITH "WILDCARD" FEATURE WITH A SERVER NAME CONTAINING MORE THAN ONE WILDCARD CHARACTER ("*")?
  13. CAN I ADD/REMOVE/ALTER THE SERVER NAME AFTER AN E-CERT (SERVER) WITH "MULTI-DOMAIN" FEATURE IS ISSUED?
  14. CAN I REVOKE SOME BUT NOT ALL SERVER NAMES IN AN E-CERT (SERVER) WITH "MULTI-DOMAIN"FEATURE ?
  15. WHAT IS A CAA RECORD?
  16. HOW DOES HKPOST CHECK CAA RECORDS BEFORE ISSUING CERTIFICATE?
  17. HOW DO I CONFIGURE THE CAA RECORDS TO ALLOW HKPOST TO ISSUE CERTIFICATE FOR MY DOMAIN NAME?
  18. CAN I APPLY FOR AN E-CERT (SERVER) WITH CHINESE DOMAIN NAME(S)
  19. CAN I APPLY FOR AN E-CERT (SERVER) SHOWING CHINESE ORGANIZATION NAME?
  20. WHAT IS THE CROSS-CERTIFICATE "HONGKONG POST ROOT CA 3" AND DO I NEED TO INSTALL IT?
  21. IF I HAVE ALREADY INSTALLED THE CROSS-CERTIFICATE "HONGKONG POST ROOT CA 3" PUBLISHED IN 2019 SIGNED BY HONGKONG POST ROOT CA 1 ("CROSS-CERT 2019") WITH VALIDITY END DATE ON 15 MAY 2023, DO I NEED TO REPLACE IT WITH "CROSS-CERT 2022" MENTIONED IN O-20? DO I NEED TO REPLACE THE E-CERT (SERVER) AS WELL?
  22. WHAT ARE THE SUPPORTED WEB BROWSERS AND OS VERSIONS FOR THE "CROSS-CERT 2022" AS MENTIONED IN O-20? FOR SUPPORT COVERAGE, WHAT IS THE DIFFERENCE BETWEEN "CROSS-CERT 2022" AND THE ROOT CERTIFICATE "HONGKONG POST ROOT CA3"?
  23. WHAT IS PRIVATE KEY COMPROMISE?
  24. WHAT SHOULD I DO IF I SUSPECT THE PRIVATE KEY OF MY E-CERT (SERVER) HAS BEEN COMPROMISED?
  25. IF I HAVE EVIDENCE THAT A PRIVATE KEY AN E-CERT (SERVER) HAS BEEN COMPROMISED, WHAT CAN I DO?
  26. WHAT IS AN EXTENDED VALIDATION E-CERT (SERVER)? HOW DOES THE VALIDATION PROCEDURES OF EXTENDED VALIDATION E-CERT (SERVER) DIFFER FROM EXISTING E-CERT (SERVER)?
  27. WHAT ARE THE ADVANTAGES OF EXTENDED VALIDATION E-CERT (SERVER) OVER EXISTING E-CERT (SERVER)?

P. BANK-CERT (PERSONAL / CORPORATE / BANK)

  1. WHAT IS A REGISTRATION BANK?
  2. HOW DO I APPLY FOR BANK-CERT (BANK) CERTIFICATE?
  3. HOW DO I APPLY FOR A BANK-CERT (PERSONAL)/ BANK-CERT (CORPORATE) CERTIFICATE?
  4. WHAT IS THE DIFFERENCE BETWEEN THE NEW BANK-CERT (PERSONAL) / BANK-CERT (CORPORATE) ISSUED FROM DECEMBER 2015 AND THE PREVIOUS BANK-CERT (PERSONAL) / BANK-CERT (CORPORATE) ISSUED BEFORE MARCH 2010?
  5. WHAT IS THE KEY LENGTH OF HONGKONG POST BANK-CERT CERTIFICATES?
  6. HOW MANY HONGKONG POST BANK-CERT CERTIFICATES CAN I APPLY FOR?
  7. FOR HOW LONG ARE BANK-CERT (PERSONAL) / BANK-CERT (CORPORATE) / BANK-CERT (BANK) VALID?
  8. CAN I CHANGE THE INFORMATION ON A BANK-CERT CERTIFICATE?
  9. WHICH HASH ALGORITHM ARE SUPPORTED BY HONGKONG POST CA BANK-CERT?
  10. WHAT IS THE DIFFERENCE BETWEEN BANK-CERT AND OTHER TYPES OF DIGITAL CERTIFICATE IN TERMS OF FUNCTION?
  11. HOW DO I REVOKE MY HONGKONG POST BANK-CERT CERTIFICATE?

Q. HONGKONG POST ROOT CA1 ROLLOVER

  1. WHY IS IT NECESSARY TO PERFORM "HONGKONG POST ROOT CA 1" ROLLOVER?
  2. WHAT WILL BE THE ARRANGEMENT OF THE CERTIFICATE ISSUANCE AND REVOCATION AFTER THE ROOT CA ROLLOVER?
  3. WHAT WILL BE THE IMPACTS TO E-CERT SUBSCRIBERS AS A RESULT OF THE ROOT CA ROLLOVER?
  4. WILL THERE BE ANY CHANGE IN E-CERT SUBSCRIPTION AND REVOCATION PROCEDURES DUE TO THE ROOT CA ROLLOVER?
  5. OUR APPLICATION SYSTEMS SUPPORT HONGKONG POST E-CERT. MAY I REQUEST FOR TRIAL CERTIFICATES AND CRLS TO PERFORM TESTING ON OUR APPLICATIONS BEFORE THE ROOT CA ROLLOVER?
  6. WILL THE EXISTING ROOT CA CONTINUE TO UPDATE AND PUBLISH ARLS AFTER THE ROOT CA ROLLOVER?
  7. ACCORDING TO IMPLEMENTATION PLAN FOR ROOT CA "HONGKONG POST ROOT CA 1" ROLLOVER, FOR THE PERIOD FROM 1 FEBRUARY 2019 TO 31 MARCH 2019, IN ADDITION TO ISSUANCE OF E-CERT (ORGANISATIONAL) UNDER ROOT CA1 TO SUBSCRIBERS OF GOVERNMENT B/DS, E-CERT (PERSONAL) AND E-CERT (ORGANISATIONAL) UNDER ROOT CA1 COULD ALSO BE ISSUED TO SUBSCRIBERS IN RELATION TO DESIGNATED GOVERNMENT E-SERVICES. LIST OF DESIGNATED GOVERNMENT E-SERVICES IS MAINTAINED BY HKPCA AND RELEVANT GOVERNMENT B/DS SHALL DISCUSS WITH HKPCA IF INCLUSION OF GOVERNMENT E-SERVICES ONTO THIS LIST IS REQUIRED. WHICH DESIGNATED GOVERNMENT E-SERVICES ARE ON THE LIST MAINTAINED BY HKPCA?

A. HONGKONG POST CA

A-1 Why should I choose Hongkong Post CA as my Certification Authority?

Hongkong Post Certification Authority is a recognised Certification Authority under the Electronic Transactions Ordinance, CAP 553. The Hongkong Post e-Cert certificates are recognised certificates issued by the Postmaster General of the Hong Kong Post Office in accordance with the requirements of the Electronic Transactions Ordinance and Code of Practice for Recognised Certification Authority. In addition, Hongkong Post CA conducts a strict authentication process for the verification of the identity of the subscribers providing the infrastructure for secure e-commerce. Details of authentication procedures are available from the Hongkong Post Certification Practice Statement (CPS).

A-2 Are there laws in Hong Kong regulating digital signatures?

Yes, the Electronic Transactions Ordinance (Cap 553), was first enacted in January 2000 and amended in July 2004. The Ordinance is available for viewing at https://www.ogcio.gov.hk/en/our_work/regulation/eto/index.html.

A-3 What is the meaning of "Reliance Limit" for the e-Cert certificate?

Reliance Limit means the monetary limit specified for reliance on a recognised certificate. The relevant sections of the Electronic Transactions Ordinance are Sections 41 and 42.

A-4 Retirement of Superseded Certification Authority System

In January 2004, Hongkong Post completed the Certification Authority (CA) system upgrade exercise, and the functions of the original CA system (OCA) operating under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA" were taken over by the new CA system (NCA) operating under three NCA roots "Hongkong Post Root CA 1", "Hongkong Post e-Cert CA 1" and "Hongkong Post e-Cert CA 1 - 10".

Since 1 February 2004, the NCA has been issuing types of recognized certificates and the OCA has ceased to issue recognized certificates. As all recognized certificates issued by the OCA have a validity period of one year, all such certificates have expired by 1 February 2005, and therefore no recognized certificates issued by the OCA are still valid at present.

On 1 April 2005, the OCA retired and ceased to issue CRLs under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA". The last CRL of the OCA was issued on 31 March 2005.

The retirement of the OCA does not affect the existing operation (including the publication of CRLs) of the NCA and services of the Hongkong Post Certification Authority. All recognized certificates and CRLs issued under both the OCA and NCA are still accessible at the existing repository.

A-5 Hongkong Post Certification Authority Sub CA Rollover on 26 February 2010

The Sub CA "Hongkong Post e-Cert CA 1" that has been used to sign the Recognized Certificates since June 2003 expired on 15 May 2013. In order to continue issuing Recognized Certificates with the maximum validity period of 3 years before the expiry of the Sub CA "Hongkong Post e-Cert CA 1", Hongkong Post completed the Sub CA "Hongkong Post e-Cert CA 1" Rollover on 26 February 2010.

With the completion of Sub CA rollover, the Sub CA "Hongkong Post e-Cert CA 1" ceased to issue Recognized Certificates. The Sub CA "Hongkong Post e-Cert CA 1 - 10" is used to issue Recognized Certificates and to perform revocation of certificates issued by it since 26 February 2010. The e-Cert subscription and revocation procedures remain unchanged after the Sub CA rollover.

With the expiry of the Sub CA "Hongkong Post e-Cert CA 1" on 15 May 2013, its last CRLs were issued at 14:15 on the same day.

For more information, please refer to the related announcement of the Sub CA Rollover.

A-6 What will be the impacts to e-Cert subscribers as a result of the Sub CA rollover on 26 February 2010?

Please refer to related announcement of the Sub CA Rollover on 26 February 2010.

A-7 Hongkong Post Certification Authority setup new Sub CA "Hongkong Post e-Cert CA 1 - 14" on 1 January 2015

With effect from 1 January 2015,a new Sub CA "Hongkong Post e-Cert CA 1 - 14" is used to issue SHA256 e-Cert(Server) and to perform revocation of SHA256 e-Cert(Server) issued by it. The e-Cert (Server) subscription and revocation procedures remain unchanged.

A-8 What will be the impacts to e-Cert (Server) subscribers as a result of the setup of new Sub CA "Hongkong Post e-Cert CA 1 - 14" on 1 January 2015?

Subscribers with SHA-256 e-Cert (Server) certificates issued after 1 January 2015 may need to install new Sub CA "Hongkong Post e-Cert CA 1 - 14" to their applications, such as web server, to recognize the new Sub CA.

A-9 Expiry of Sub CA "Hongkong Post e-Cert CA 1"

The Sub CA "Hongkong Post e-Cert CA 1" has been used to issue e-Cert and Bank-Cert in the following periods:

  • e-Cert (Personal) issued between 23 June 2003 and 25 February 2010
  • e-Cert (Organisational), e-Cert (Encipherment), e-Cert (Server), Bank-Cert (Personal) and Bank-Cert (Corporate) issued between 12 January 2004 and 25 February 2010.

The Sub CA "Hongkong Post e-Cert CA 1" has ceased to issue any recognized certificates since 26 February 2010 and expired on 15 May 2013.

The last full Certificate Revocation List (CRL) and partitioned CRLs were issued by Sub CA "Hongkong Post e-Cert CA 1" at 14:15 on 15 May 2013 (Hong Kong Time) and with no further updates afterwards. The previously generated CRLs are still available for reference.

Except for the cessation of update of CRLs issued by the Sub CA "Hongkong Post e-Cert CA 1", all other services of Hongkong Post Certification Authority remain unchanged upon the expiry of the Sub CA "Hongkong Post e-Cert CA 1".

For more information, please refer to the related announcement of the Sub CA Expiry.

A-10 Hongkong Post Certification Authority setup new Sub CA "Hongkong Post e-Cert CA 1 - 15" on 1 September 2015

With effect from 1 September 2015, a new Sub CA "Hongkong Post e-Cert CA 1 - 15" is used to issue e-Cert (Server) Supporting Online Certificate Status Protocol and to perform revocation of e-Cert (Server) Supporting Online Certificate Status Protocol issued by it. The e-Cert (Server) subscription and revocation procedures remain unchanged

A-11 What will be the impacts to e-Cert (Server) subscribers as a result of the setup of new Sub CA "Hongkong Post e-Cert CA 1 - 15" on 1 September 2015

Subscribers with e-Cert (Server) Supporting Online Certificate Status Protocol certificates issued after 1 September 2015 may need to install new Sub CA "Hongkong Post e-Cert CA 1 - 15" to their applications, such as web server, to recognize the new Sub CA.

A-12 Expiry of Root CA "Hongkong Post Root CA 1"

The Root CA "Hongkong Post Root CA 1" has expired on 15 May 2023. The Sub CA "Hongkong Post e-Cert CA 1 - 10", "Hongkong Post e-Cert CA 1 - 14" and "Hongkong Post e-Cert CA 1 - 15" has ceased to issue any recognized certificates and expired on 15 May 2023.

For more information, please refer to the related announcement of the Root CA Expiry.


B. PUBLIC KEY INFRASTRUCTURE (PKI)

B-1 What is Encryption ?

The concept of encryption is simple: a message is converted from the original (plain text) into another, incomprehensible form (cipher text) by means of a specified procedure (algorithm) and a key. The same key can then be used to decrypt the message to its original form. Knowledge of the encryption key is necessary to carry out decryption. With the encryption techniques in use today, the security of the system is critically dependent on the length of the key used for the encryption. As encryption algorithms are publicly available, it is through the complexity (i.e., its length) and the secrecy of the key that the strength of the encryption can be assured.

B-2 What is Public Key Cryptography and how does it work?

Public Key Cryptography or Asymmetric Cryptography forms the basis of digital signatures and Public Key Infrastructure. This technique makes use of a pair of mathematically related, but different keys - a private key and a public key. The private key is kept secret and is only accessible to its owner; the public key is intended for wide distribution. If one key is used to encrypt a message, then only the other key in the pair can be used to decrypt it. The public key can be used to verify a message signed with the private key, or to encrypt messages that can only be decrypted using the private key.

B-3 What is a Certification Authority (CA)?

A Certification Authority (CA) is an organisation that issues independently authenticated digital certificates for use by individuals or organisations.

B-4 What is a digital certificate?

A digital certificate is an electronic file issued and digitally signed by a Certification Authority, vouching for the identity of the certificate holder.

B-5 What is the Hongkong Post e-Cert certificate?

The Hongkong Post e-Cert certificate is a digital certificate that is issued, signed and managed by Hongkong Post Certification Authority (CA) and is X.509 v.3 compliant. Hongkong Post CA offers three different types of digital certificates:

  1. Hongkong Post e-Cert (Personal) Certificates: these are used in browsers and e-mail programmes so that users can prove their identity to third parties;
  2. Hongkong Post e-Cert (Organisational) Certificates: these are used by organisations, associations or Government departments which wantto issue an organisation-based certificate to their members/employees to conduct secure message transmission; and
  3. Hongkong Post e-Cert (Server) Certificates: these are to authenticate servers to users, thereby making it possible to communicate in Secure Socket Layer (SSL) messages.
  4. Hongkong Post e-Cert (Encipherment) Certificates : there are used for encryption and decryption of message for confidentiality purpose only. This type of certificate is not to be used for message signing like e-Cert (Personal) and e-Cert (Organisational).

B-6 What is a Digital Signature and how does it work?

A digital signature is a unique string of bits that is separately generated for each message, 'signed' by the private key of the sender, and appended to the message prior to being forwarded to the intended recipient. By verifying the signature through using the public key of the sender, the receiver will be able to confirm the identity of the sender and be certain that the message has not beenaltered during transmission. In this way, digital signatures provide:

  • Authentication : proof of identity of the parties to an electronic transaction;
  • Integrity: assurance that the contents of a message have not been tampered with or modified;
  • Non-repudiation: proof of agreement to the terms of the transaction and prevention of denial of commitment.

B-7 What is Hash Function/Value?

The technique of the hash function is to compute a short digest of a fixed length from any given message that represents the message content. The hash function makes it impossible to revert to the original message and computationally difficult to find any two messages that hash to the same result. MD5 and SHA-1 are common hash algorithms.

B-8 What is S/MIME ?

S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a de facto standard for sending secure e-mail over the Internet. MIME is the industry standard format for electronic mail, which defines the structure of the message's body. S/MIME adds a secure feature to the MIME standard. E-mail applications that support S/MIME add digital signatures and encryption capabilities to that format. Standardisation of the secured message's format allows users to conduct private and authenticated communications, independent of the e-mail software they use, as long as this software is S/MIME compatible. You and your recipient must have public key certificates and S/MIME compatible e-mail applications in order to send and receive secured e-mail.

B-9 Why is/are there an S/MIME .p7m and/or S/MIME .p7s attachment to my e-mail?

S/MIME is the secure e-mail protocol and .p7m contains the encrypted message while .p7s is the digital signature file. If this is received as an attachment, there are 2 possibilities :-

  1. You may be using a web-based e-mail account. It is suggested that you change your e-mail account to a non web-based account;
  2. You may be using an e-mail client which is not S/MIME compatible and will not be able to verify the attached signature. It is suggested that you upgrade your e-mail client to the latest version (e.g., Microsoft Outlook 98/2000) or use another S/MIME compatible mail programme (e.g., Microsoft Outlook Express 5 or Netscape Messenger 4.7 or above).

B-10 What is a Secure Socket Layer (SSL)?

The SSL handshake protocol was developed by Netscape Communications Corporation to provide security and privacy over the Internet. The Protocol supports server and client authentication. The SSL Protocol is application independent, allowing protocols like HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol), and Telnet to be layered on top of it transparently. The SSL Protocol is able to negotiate encryption keys, as well as to authenticate the server before data are exchanged by the higher-levelapplication. The SSL Protocol maintains the security and integrity of the transmission channel by using encryption, authentication and session keys.

B-11 How do I send a signed and encrypted e-mail ?

For two parties to exchange signed and encrypted e-mail it is necessary that:

  • both parties correspond through S/MIME compatible e-mail programmes, AND
  • both parties have a digital certificate.

If the above conditions are fulfilled, the sender of a message can sign and encrypt messages with the options to "sign" and/or "encrypt" in his/her mail programme.

B-12 How can I obtain someone else's digital certificate (with public key embedded) in order to send him/her an encrypted e-mail?

To enable you to send an encrypted e-mail,

  • you need to ask your recipient to send you a signed e-mail and save the certificate in your address book; or
  • find a digital certificate from Hongkong Post's online e-Cert repository (directory) either by name or e-mail address, and then download your recipient's e-Cert.

B-13 How do I read the encrypted e-mails I receive?

If an e-mail message has been properly encrypted, i.e., with the public key corresponding to your private key, the encrypted message will be automatically decrypted for you (after you have entered your password for activating your private key) by your S/MIME compatible e-mail application and displayed to you as plain text.

B-14 How do I verify the digital signatures on signed messages I receive?

If your sender has included his/her public key certificate in the signed message, the digital signature on the message will be automatically verified by your S/MIME compatible e-mail application. In Netscape Messenger, a security icon saying "Signed" will be shown on the upper right corner of the message.

B-15 How do I know if the e-mail I have received is signed or encrypted?

For Netscape Messenger users: security enhanced messages have an icon in the upper-right corner, indicating that the message has been "signed", "encrypted" or "signed and encrypted".

B-16 Can I send secure e-mail to someone who does not have a digital certificate?

No, you cannot. In order to encrypt the e-mail message that you want to transmit, you will need to access the public key of the intended recipient. If the recipient is not in possession of a digital certificate, he/she will not have a public key. However, you can digitally sign messages to recipients whose e-mail applications support S/MIME. They will be able to verify your signature on the messages.


C. HONGKONG POST E-CERT SERVICES

C-1 Does Hongkong Post e-Cert support Chinese characters?

Currently, the technology adopted by Hongkong Post does not support Chinese characters. Hence, for the present,all Hongkong Post e-Cert certificates will be issued in English only.

C-2 Does Hongkong Post e-Cert Support Elliptic Curve Cryptosystem (ECC)?

ECC is not supported for the time being.

C-3 Does Hongkong Post e-Cert Support Object Signing and Authenticode?

Object signing and authenticode are not supported for the time being.

C-4 What is the key length of Hongkong Post e-Cert?

Hongkong Post e-Cert are issued with 2048-bit RSA key length.

C-5 Can Hongkong Post e-Cert Certificates be used globally?

Hongkong Post e-Cert certificates are X.509 v3 compliant (an international standard) and can, therefore, be used globally.

C-6 What is the system requirement to access the HKPCA website?

The HTML 4.01 standard has been applied to the webpages on the HKPCA website, and users can access them with any browser that complies with the standard. But exactly how a webpage is displayed differs between browsers, computers and operating systems. User is also suggested to apply latest patches to the browsers and operating systems before accessing the website.

C-7 Can I use my e-Cert with Hotmail or other similar e-mail services ?

This is not possible. Web-based e-mail services such as Hotmail and Yahoo are not S/MIME compatible. For details, please see heading under S/MIME below.

C-8 What happens after my Hongkong Post e-Cert certificate expires?

When a Hongkong Post e-Cert certificate expires, it can no longer be used for secured e-mail. You should re-apply for a new e-Cert certificate.

C-9 How many Hongkong Post e-Cert certificates can I apply for?

As many as you like. There is no limit to the number of Hongkong Post e-Cert certificates you can apply for.

C-10 How much does a Hongkong Post e-Cert certificate cost?

The subscription fees of Hongkong Post e-Cert certificates are:
Type of Certificate Annual Fee (HK$)
Personal (without "Mutual Recognition" status) ** Promotional Offer: HK$48 per certificate
e-Cert (Organisational) without "Mutual Recognition" Status ** Promotional Offer:
First time application for certificate with a 1-year validity period HK$47
First time application for certificate with a 2-year validity period HK$188
Non-first time application or renewal for certificate with a 1-year validity period HK$141
Non-first time application or renewal for certificate with a 2-year validity period HK$282
(plus an administration fee per application)
Encipherment $150 per certificate
(plus an administration fee per application)
Server (without "Wildcard" feature and "Multi-domain" feature) ** Promotional Offer: HK$2,350 per certificate
Server (with "Wildcard" feature) ** Promotional Offer: HK$8,265 per certificate + HK$475 per Additional Server
Server (with "Multi-domain" feature) HK$3,000 per certificate + HK$2,500 per Additional Server Name
Extended Validation e-Cert (Server) (without "Multi-domain" feature) ** Promotional Offer: HK$2,700 per certificate
Extended Validation e-Cert (Server) (with "Multi-domain" Feature) HK$3,500 per certificate + HK$2,500 per Additional Server Name
Organisational Role $150 per certificate
(plus an administration fee per application)
g-Cert (Individual) ** Promotional Offer: HK$18 per certificate

** Note: With effect from 1 July 2023, promotional discounts on the subscription fees for some types of e-Cert. For details, please refer to the relevant announcement.

C-11 For how long are Hongkong Post e-Cert certificates valid?

  • The validity period of Hongkong Post e-Cert (Personal) is 3 years.
  • The validity period of Hongkong Post e-Cert (Organisational) is 1 or 2 years.
  • The validity period of Hongkong Post e-Cert (Server); e-Cert (Server) with "Wildcard" feature and e-Cert (Server) with "Multi-domain" feature is 1 year.
  • The validity period of Hongkong Post e-Cert (Encipherment) is 1, 2, 3 or 4 years.

C-12 Can I change the information on a certificate?

A digital certificate, once generated, cannot be changed. If you have changed any information on the certificate such as your name or your e-mail address, you must apply for a new certificate. You should also revoke your existing certificate.

C-13 Which hash algorithm are supported by Hongkong Post CA?

Hongkong Post e-Cert are issued with SHA-256 algorithm.

C-14 Does Hongkong Post e-Cert (Server) support Online Certificate Status Protocol (OCSP)?

Hongkong Post Certification Authority (HKPCA) will issue e-Cert (Server) supporting OCSP in phases. From 1 September 2015 to 31 August 2016, e-Cert (Server) supporting OCSP will be issued by default. Existing e-Cert (Server) not supporting OCSP with 1-year validity period will only be issued upon written request. Starting from 1 September 2016, only e-Cert (Server) supporting OCSP will be issued. For details, please refer to the relevant announcement.

Starting from 1 July 2019, the OCSP response to e-Cert (Server) will be updated and published immediately to reflect the revocation status of that certificate.

C-15 Why does my browser first have to accept the Hongkong Post Root CA certificate?

The Hongkong Post Root CA certificate is not pre-installed in standard browsers. This means that you will have to load the Hongkong Post Root CA certificate into your browser yourself. You need this root certificate to validate a certificate issued by Hongkong Post CA.

C-16 Where do I download the public key of the Hongkong Post Root CA certificate, and how do I install it in the browser?

The Hongkong Post CA Root certificates are available for downloading under the heading of "Download".

C-17 How do I retrieve a lost or accidentally deleted e-Cert?

If you lose your Hongkong Post e-Cert certificate, you must revoke your certificate immediately. In case you have accidentally deleted your certificate, you simply need to import the certificate from your back-up copy. If you do not have a back-up copy, you must submit a new application.

C-18 Why is it important to make a back-up copy of my Hongkong Post e-Cert certificate?

If you lose your certificate, and you do not have a back-up copy, you will lose access to all your old encrypted messages (as you will not have your private key which you need to decrypt these messages). It is absolutely essential, therefore, that you make a back-up copy of your certificate.

C-19 Can I use one Hongkong Post e-Cert certificate for multiple e-mail addresses?

Currently very few common browsers are capable of recognising multiple e-mail addresses on a single certificate. Therefore, Hongkong Post CA is adopting a policy of one e-mail address per certificate.

C-20 What are the authentication procedures for Hongkong Post e-Cert certificates?

Details of authentication procedures are available from the Hongkong Post Certification Practice Statement.

C-21 Why is Hongkong Post issuing digital certificates to minors?

It is the vision of Hongkong Post to groom the younger generation to participate in secure electronic transactions and communications. If a certificate holder is a minor at the time of submitting his/her application, it will be shown on the certificate as "Hongkong Post e-Cert (Personal/Minor)". Relying parties are reminded that minors are not legally capable of entering into contracts, and any such dealings may be declared null and void in the future.

C-22 Can I search Hongkong Post e-Cert (Encipherment) Certificate from the Hongkong Post directory server ?

Absolutely. Like other types of e-Cert, the e-Cert (Encipherment) Certificate will also be posted to the directory for public searching.

C-23 Where I can find the terms and conditions governing the use of Hongkong Post e-Cert certificates?

The Subscriber Agreement and the Certification Practice Statement, which can be obtained at any Post Office counter, show all details of the terms and conditions governing the use of Hongkong Post e-Cert certificates. The Certification Practice Statement can also be viewed at Hongkong Post CA's web site.

C-24 How to Search in Netscape the Certificate of Other People Who Has Two Or More e-Cert With The Same Email Address?

You have to specify the directory entry of Hongkong Post e-Cert Directory with more Distinguished Name (DN) information in the search field. An example of it is by entering "OU=0000920170,O=Hongkong Post e-Cert (Personal),C=HK" in the search root field to limit the search to e-Cert (Personal) and SRN=0000920170. For details, you may refer to the user guide of setting search field for the directory entry of Hongkong Post e-Cert Directory.

C-25 Why must an applicant for e-Cert complete the identity verification process in person at a post office?

e-Cert is a digital certificate that offers a safe and secure way to conduct online transactions. In processing an e-Cert application, Hongkong Post is required to verify the identity of the applicant. As a procedural safeguard in the interest of the applicant, it is necessary for the applicant to visit a post office to complete the face-to-face identity verification process and delivery of the PIN envelope before an e-Cert can be issued.

C-26 Can an applicant visit a post office during lunch break, over weekend or on Sunday to complete the application process?

Yes. All post offices will stay open during lunch hours. As for the General Post Office at Central and the Tsim Sha Tsui Post Office, public services are available on Saturday afternoon and on Sundays from 9:00 a.m. to 2:00 p.m. The opening hours of the post offices can be found at Hongkong Post CA's web site.

C-27 If an applicant has questions of installing an e-Cert, how can he/she seek help?

He/she can call the e-Cert Hotline at 2921 6633.

C-28 Is it a proper arrangement for Hongkong Post to deliver the e-Cert storage medium to an applicant by post?

Hongkong Post always place emphasis on the security aspects of e-Cert. Delivering e-Cert storage medium by post is to save the applicants from making an additional visit to post office to collect the e-Cert storage medium. As a security measure, the delivery of e-Cert storage medium is made by recorded delivery which requires the applicant to sign for the receipt of the e-Cert storage medium. Furthermore, the use of an e-Cert requires a PIN, which is given to the applicant at the time of application.

C-29 Can an e-Cert be used on computers running Linux or Mac operating systems?

e-Cert can be used on the Windows operating system. The use of e-Cert on Linux and Mac operating systems will require installation of additional software plug-ins. You may contact the respective vendors of the Linux and Mac system for the details of the software plug-ins.

C-30 What are the differences in certificate features between e-Cert (Organisational Role) and e-Cert (Organisational)?

e-Cert (Organisational Role) is similar to e-Cert (Organisational) that it is for use by an employee or a member of the Subscriber Organisation. e-Cert (Organisational Role) carries additional features that the e-Cert can include the "role" which can be the "title" or "position" of the Authorised User in the Subscriber Organisation, and the e-Cert is intended for use in systems designated by the Subscriber Organisation only. For other features, please refer to the Appendix D of the CPS for e-Cert (Organisational Role).

C-31 Is e-Cert (Organisational Role) or e-Cert (Organisational) suitable for use in my organisation?

e-Cert (Organisational Role) certificate can be used for digital signature and encryption in PKI applications of the Subscriber Organisation. In addition, e-Cert (Organisational Role) can only be used in system(s) designated by the Subscriber Organisation. Organisations interested in the use of e-Cert (Organisational Role) may contact us at 2921 6633 or email to enquiry@eCert.gov.hk for further discussion.

C-32 What is the difference in application procedure between e-Cert (Organisational Role) and e-Cert (Organisational)?

The main difference in application procedure is that the offer of e-Cert (Organisational Role) certificates requires prior arrangement between Hongkong Post CA and the Subscriber Organisation, whereas the application for e-Cert (Organisational) is on the Subscriber Organisation’s own discretion.

C-33 Why prior arrangement is required for the offer of e-Cert (Organisational Role) certificates from Hongkong Post Certification Authority?

e-Cert (Organisational Role) certificate is issued to the Subscriber Organisation and for the designated application in respect of the Subscriber Organisation of the certificate. Thus, a prior arrangement is required for the Subscriber Organisation’s specific requirements.

C-34 What is the maximum field length for "subscriber organisation name" and "subscriber organisation branch/department" for e-Cert?

To comply with international standard, "subscriber organisation name" and "subscriber organisation branch/department" for digital certificates cannot exceed 64 characters. If the submitted "subscriber organisation name" or "subscriber organisation branch/department" exceeds 64 characters, Hongkong Post CA will contact the applicant to abbreviate the name to no more than 64 characters in accordance to the following abbreviation table:

Abbreviation table
Glossary Acronyms
Branch Br.
Centre Ctr.
Committee Cmte.
Company Co.
Department Dept.
Hong Kong HK
Incorporated INC.
Limited Ltd.
Management Mgmt.
School Sch.

C-35 We are a participant of iAM Smart Pilot Sandbox Programme organized by Hong Kong Cyberport ("Programme"). May I request for trial e-Cert (Encipherment) to conduct testing under the Programme?

You are welcome to make request for trial e-Cert (Encipherment) for purpose of application testing. Each participant of the Programme may apply for one trial e-Cert (Encipherment) for submission of the public key certificate to the Programme. Please contact our e-Cert Customer Service at 2921 6633 or email to enquiry@eCert.gov.hk with Subject: "Trial e-Cert (Encipherment) for iAM Smart Pilot Testing" accordingly.


D. SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)

D-1 What is a Certificate Signing Request (CSR)?

A Certificate Signing Request (CSR) is a request generated by your server which contains the information of your organisation and your public key. The Hongkong Post CA will generate your e-Cert (Server) based on your CSR.

D-2 How do I generate a Certificate Signing Request (CSR)?

You may refer to the User Guides for e-Cert (Server) Applicant for the procedures on how to generate a base64 encoded PKCS#10 CSR. Please make sure that the correct domain name (e.g. www.example.com) is entered in the "Common Name" field and "HK" in the "Country" field.

D-3 What should I paste into the Certificate Signing Request (CSR) text box during the e-Cert (Server) CSR submission process?

You should paste the entire content of the CSR including the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" into the Certificate Signing Request (CSR) text box.

D-4 What should I do if I did not download my e-Cert (Server) in the last step of the Certificate Signing Request (CSR) submission process?

You can download your e-Cert (Server) from the Search and Download Certificate web page after a successful CSR submission process.

D-5 What should I do to generate a Certificate Signing Request (CSR) for e-Cert (Server) with a Chinese domain name?

For e-Cert (Server) using Chinese domain name, subscriber should convert the Chinese domain name into ASCII characters by using IDN conversion tool.


E. CENTRAL KEY GENERATION SERVICE FOR E-CERT

E-1 What is Central Key Generation Service and how does it work?

Hongkong Post generates the key pair (including the Private key and Public Key) of an e-Cert on behalf of the Subscriber and creates the e-Cert. The key generation and e-Cert creation process are performed in a trustworthy manner and environment within Hongkong Post's premises to ensure that the key pair and e-Cert are not tampered with. The generated key pair and e-Cert will be protected by a PIN and stored as an e-Cert file in an e-Cert storage medium. The e-Cert storage medium will be delivered to the Subscriber by registered mail. The Subscriber is required to open the e-Cert file by the PIN distributed to the Subscriber separately.

E-2 Is Central Key Generation Service applicable to all types of e-Cert?

The Central Key Generation Service is applicable to e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) certificates. Subscribers who opt for this service should make the request and specify the collection/delivery arrangement at the time of application.

E-3 Are there any protective measures to safeguard the private key of the e-Cert created under the Central Key Generation Service?

The private key created under the Central Key Generation Service is stored in an encrypted form. Upon completion of delivery of e-Cert and the private key to subscriber, the private key will be purged from Hongkong Post system.

E-4 Is there any tool or program that can be used to change the password of the e-Cert file? 

For a quicker and easier way in changing the password of the e-Cert file, a "Change Password Program" is available for downloading from Hongkong Post CA's web site. After downloading and simple installation, the program can then be ready for use.

E-5 Is there any restriction in using the "Change Password Program" software?

The "Change Password Program" software is designed for use by the Subscribers of Hongkong Post e-Cert in changing the password of the e-Cert file that is created and saved on e-Cert File USB. It can only work in Microsoft Windows platform.


F. TECHNICAL ISSUES

F-1 How do I know that my Hongkong Post e-Cert certificate is properly installed?

For Netscape Users:

  1. Open your Netscape browser;
  2. Click on the security icon (the one that looks like a padlock) from the main toolbar;
  3. Select Certificates > Yours from the menu on the left. Verify that your new e-Cert is listed in the personal certificates display.
  4. To view your e-Cert particulars, select it (e-Cert) and then click the 'view' button.

F-2 What should I do if my PIN does not appear to work?

You must type the PIN correctly, making sure that:

  1. the PIN includes all 16 digits,
  2. there are no spaces before, after, or within the PIN

If the problem persists, please contact the Hongkong Post CA Enquiry Hotline at 2921 6633.

F-3 Why I am getting an 'Expired Certificate' message shortly after downloading it?

This could happen because the system time of your PC is slower than that of our CA system. Our CA system uses the Global Position System (GPS) clock to stamp the certificate. To avoid this, all you need do is to wait for a while or correct your system clock.

F-4 I have deleted my Netscape Navigator and installed the latest version. How do I reinstall my digital certificate?

If you have removed your old copy of Netscape Navigator, you have also deleted the file that contains the private key associated with your e-Cert. Without that private key or a back-up copy, you cannot reinstall your e-Cert. You need to apply for a new one. Upgrading Navigator by using the Netscape installer preserves your personal information, including your e-Cert and private key.

F-5 How do I know I am connected to a secure server ?

Upon accessing a server secured with a Hongkong Post e-Cert (Server) certificate, the user will see a padlock at the bottom of his or her Internet browser or on the main toolbar of the Netscape browser. Clicking on the padlock will cause the details of the server's certificate to be displayed.

F-6 How do I get 128-bit / full-strength sessions?

Firstly, when you hear people speak of a 128-bit or 40-bit connection, they are referring to the "session key". This is a symmetric key created by the browser when it connects to the server that is used to encrypt AND decrypt data (transmitted to and from the server) after the initial browser/server "handshake". If your server supports full-strength sessions and the browser connecting to your site supports 128 bits, then a 128-bit session key will be created and used. Browsers that have been exported from the United States are limited to creating 40-bit session keys. Browsers that have been distributed within the US or manufactured by companies outside the US can create 128-bit session keys and thus connect to similarly manufactured and distributed servers in full-strength crypto. Outside the US, certain financial institutions and governmental organisations can apply for a Global Server Certificate, sometimes referred to as a "Step-up Server Certificate". Having one of these certificates installed on a server will guarantee a 128-bit connection with any browser, regardless of whether it is an "export" or "domestic" version.

F-7 What domain name do I use on my server certificate request?

Please be careful when choosing your domain name. You cannot change this information after the certificate is issued. The domain name should be the exact server name where the certificate will be installed. When a browser connects to your server, it will match the domain name to that on the certificate. If the names do not match, the browser will return an authentication error.

F-8 Which field inside the e-Cert (Encipherment) certificate controls the usage purpose of the key pair?

The "Key Usage" extension field specifies the usage of the key pair. For e-Cert (Encipherment), only the "Key Encipherment" bit and "Digital Signature" bit are set.

F-9 What is the usage of e-Cert (Encipherment)?

e-Cert (Encipherment) certificates are to be used only:

  1. to send encrypted electronic messages to the Subscriber Organisation;
  2. to permit the Subscriber Organisation to decrypt messages; and
  3. to permit the Subscriber Organisation to acknowledge receipt of the encrypted message by sending an acknowledgement with a digital signature added to it to confirm the identity of the receiving Subscriber Organisation.

Further, digital signatures generated by this class of certificate are only to be used to acknowledge the receipt of electronic messages in transactions which are not related to or connected with the payment of money on-line or the making of any investment on-line or the conferring on-line of any financial benefit on any person or persons or entities of whatsoever nature and under no circumstances are digital signatures generated by these certificates to be used to acknowledge the receipt of messages sent in connection with the negotiation or conclusion of a contract or any legally binding agreement.

F-10 Using e-Cert in the Crypto Tools software

The Crypto Tools (the Software) previously provided by the former i-Security Solutions Limited (the Company) has become unavailable for sales and/or distribution after the Company closed down in 2003. If you are using the Software for signing and encrypting documents with Hongkong Post e-Cert, you should note that Hongkong Post shall not accept any claims or liabilities whatsoever arising from the use or distribution of the Software.


G. REVOCATION OF CERTIFICATES

G-1 How do I revoke my Hongkong Post e-Cert certificate?

A subscriber may submit a request to revoke her/his certificate at any time for any reason. Revocation requests can be made by the following methods:

  1. Sending a certificate revocation request by fax to 2775 9130 and the original of the revocation request by post.
  2. Sending a certificate revocation request by letter to Hongkong Post CA, PO Box 68777, Kowloon East Post Office.
  3. Sending a digitally signed e-mail to enquiry@eCert.gov.hk
  4. Showing a revocation request in person at any post office with the same signature as on the original application form.
  5. For e-Cert (Server) revocation request, submission of online revocation request by entering Authorised Representative personal particulars and a 16-digit PIN from the PIN envelope. The PIN envelope was passed to the Authorised Representative at the juncture of submission of the application.

Suspensions and revocations of certificates will be effective only after they have been published in the Certificate Revocation List (CRL).

Personal Certificate Revocation Request

A personal certificate can only be revoked by the subscriber of that certificate.

Organisational Certificate Revocation Request

can be revoked by :

  1. A person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application, or;
  2. The person whose name appears on the certificate as the subscriber of that certificate.

Server e-Cert Revocation Request

A server certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.

Encipherment e-Cert Revocation Request

An encipherment certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.

Acknowledgement to the Subscriber/Authorised Representative

Based on a request by fax, Hongkong Post will place a "Hold" on the certificate, which effectively suspends, but does not revoke the certificate. The subscriber then has to send his/her original of the revocation request to Hongkong Post to complete the revocation process. In-person or digitally signed requests will be processed directly as immediate revocations without the "Hold" procedure. Hongkong Post will endeavour to issue a Notice of Revocation to such subscribers within one week following the request for revocation.

Business Hours for Processing Revocation Requests

Monday to Friday 9:00 a.m. to 5:00 p.m.

Saturday 9:00 a.m. to 12:00 noon

Sundays & Public Holidays 9:00 a.m. to 12:00 noon

On any weekday on which a tropical cyclone warning signal no. 8 (or above) or a black rainstorm warning signal is hoisted, Hongkong Post Certificate Authority will open at the usual time if the signal is lowered at or before 6 a.m. that day. If the signal is lowered between 6 a.m. and 10 a.m. or at 10 a.m., Hongkong Post Certificate Authority will open at 2:00 p.m. on any weekday, other than on a Saturday, Sunday and public holiday.

Service Pledge and Certificate Revocation List Update

  1. Hongkong Post will exercise reasonable endeavours to see that within 2 working days of (1) Hongkong Post receiving a revocation request from the Subscriber or (2) In the absence of such a request, the decision by Hongkong Post to suspend or revoke the certificate, the suspension or revocation is posted to the Certification Revocation List.
  2. However, a Certificate Revocation List is not published in the directory for access by the public following each certificate revocation. Only when the next Certificate Revocation List is updated and published will it reflect the revoked status of the certificate. [Certification Revocation Lists are published 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time.]

For the avoidance of doubt, all Saturdays, Sundays, public holidays and for all weekdays on which a tropical cycle and rainstorm warning signal is hoisted, are not working days.

G-2 Why do I need to revoke my certificate before it expires?

We strongly recommend that you revoke (cancel) your certificate if you suspect that your private key has been compromised, or you no longer wish to participate in the Hongkong Post Public Key Infrastructure. Moreover, in the following situations relating to e-Cert (Server) and EV e-Cert (Server), you may wish to revoke your certificate to prevent it from being used in the future :-

  • you no longer control, or are no longer authorised to use, all of the domain names in the certificate;
  • you will no longer be using the certificate because you are discontinuing your website;
  • your organisation's name or other organisational information in the certificate has changed; or
  • you have requested a new certificate to replace an existing certificate.

G-3 How can I verify the status of my revoked certificate?

You can verify the status of your revoked Hongkong Post e-Cert certificate by pulling down the entire Hongkong Post CA Certification Revocation List (CRL) from the directory server at ldap1.eCert.gov.hk, which is updated everyday. The CRL on the directory server can only be read by using the LDAP protocol and you need a client software with LDAP capability, for example, the Crypto Tools bundled in the e-Cert Customer Kit. Alternatively, you can go to our web site and access the CRL at the following URL : http://crl1.eCert.gov.hk/crl/eCertCA1-10CRL1.crl. For users of Microsoft Windows, when your open the CRL file, there will be a CRL pop up screen showing the list of revoked certificates in certificate serialnumber order. You may then locate the certificate by the certificate serial number. Please note that the revocation status of expired certificates will not be published in CRL.


H. DELETION AND RECOVERY ISSUES

H-1 Is there any way to recover my Hongkong Post e-Cert certificate if my hard drive has crashed?

A hard drive crash may delete the certificate in your computer. Once it has been lost, there is no way to retrieve it. You will first need to revoke your certificate, then enrol for a new one. You may also restore your back-up copy and import this copy into your browser.

H-2 What should I do if my computer has been stolen together with my certificate?

As your digital certificate is protected by a password, it is unlikely that anyone else will be able to use it to impersonate you. However, we strongly advise you to revoke your certificate immediately if your computer has been stolen and then enrol for a new one.

H-3 Should I delete my expired or revoked e-Cert?

You should not delete your expired or revoked e-Cert. By deleting a certificate, you will no longer have access to the private key associated with it and it will therefore no longer be possible to read encrypted messages with it.


I. BACK-UP AND TRANSFER OF CERTIFICATE

I-1 How do I save a back-up copy of my digital certificate?

Each browser has its own back-up procedures. For Microsoft Edge Users:

  1. Click on the security icon (the one that resembles a padlock) from the main toolbar,
  2. In the "Settings" tab, click "Privacy, search, and services", and then click "Manage certificates".
  3. Select the e-Cert you intend to save and click Export,
  4. You will be prompted to choose a transport password which you will be asked for when importing or opening this copy of your e-Cert. Click OK,
  5. Select a location (such as your e-Cert file USB) and file name in which to save your e-Cert. Click Save,
  6. Protect your e-Cert file USB or other media and your transport password in a secure manner.

I-2 How do I transfer my digital certificate to a new computer?

The first step for transferring your e-Cert is to save ("Export") it from the computer's hard drive onto a e-Cert file USB or other transfer medium. When your e-Cert has been successfully exported, you can then import it into the new computer. To import your e-Cert into Microsoft Edge:

  1. Click on the security icon (the one that looks like a padlock) from the main toolbar,
  2. In the "Settings" tab, click "Privacy, search, and services", and then click " Manage certificates".
  3. Select Import,
  4. You will then be prompted to give the password you will use to protect your e-Cert,
  5. Locate your e-Cert from the e-Cert file USB or other medium used to back up your e-Cert (it should have a .p12 extension). Highlight it and click Open,
  6. Enter your transport password and click OK.

Note: Please make sure that you have successfully imported the certificate to the new machine before deleting the old certificate and the transient file.


J. RENEWAL OF E-CERT (PERSONAL)

J-1 Why subscribers of e-Cert have not received the renewal notice upon the expiry of e-Cert?

When the subscriber has not provided his/her e-mail address to Hongkong Post Certification Authority (Hongkong Post CA) or changed it without notifying Hongkong Post CA, Hongkong Post CA is not able to issue the notice through e-mail. If subscribers wish to check whether his/her e-Cert is due for renewal, they can call our customer service hotline at 29216633, or send us an e-mail to enquiry@eCert.gov.hk.

J-2 What is the difference between "Extension of Subscription Period" and "Renewal"?

"Extension of Subscription Period" - The e-Cert (Personal) is physically valid for three years and its subscription period is one year. Upon the expiry of the subscription period, subscribers need to pay HK$48 per certificate per year to extend the subscription period. If not, Hongkong Post will inactivate their e-Cert by suspension or revocation. According to the Electronic Transactions Ordinance, the inactivated certificates will be included in the Certificate Revocation List (CRL) published on Hongkong Post CA's web site. After the subscribers extended the subscription period, they can continue to use the existing e-Cert, and they will not be issued any new e-Cert storage medium or new PIN envelopes.

"Renewal" - The e-Cert (Personal) is physically valid for three years. Upon the expiry of the three years validity period, subscribers need to renew their e-Cert and pay HK$48 for the first year subscription fee. A new PIN envelope and the renewed e-Cert in an e-Cert storage medium selected by the subscriber will be issued to the subscriber.

J-3 How can subscribers renew their e-Cert?

Subscribers can either submit renewal application online or by visiting post offices. However, the renewal methods will vary according to actual needs of different subscribers. For details, you may refer to Renewal of e-Cert.

J-4 What is the validity period of the renewed e-Cert (Personal)? What is the renewal fee?

The renewed e-Cert (Personal) is physically valid for three years and its subscription period is one year. Subscriber has to pay the subscription fee and e-Cert storage medium cost, if any. The prevailing fee and cost can be referred to Hongkong Post CA's web site.

J-5 Can I pay HK$150 for 3-yr subscription fees in one go?

No. Subscription fees are charged on a yearly basis upon the expiry of each subscription period.

J-6 When submitting a renewal application, will the subscribers of e-Cert (Personal) be issued a new PIN envelope?

A new set of PIN envelope will be issued to the subscribers upon renewal of certificate.

J-7 Upon receipt of the new PIN envelope and e-Cert storage medium for the renewed e-Cert, can the subscriber throw away the old PIN envelope and e-Cert storage medium?

Subscribers should keep the old PIN envelope and the old e-Cert storage medium in order to use the old e-Cert. The new PIN envelope will be applicable to the renewed e-Cert stored in the new e-Cert storage medium.

J-8 What are the channels for enquiry?

Customers can call our customer service hotline 2921 6633 or send e-mail to enquiry@eCert.gov.hk or visit any post office.


K. E-CERT FILE USB

K-1 What is e-Cert File USB?

e-Cert File USB is a credit card sized USB flash drive which is a storage medium for Hongkong Post e-Cert. The e-Cert stored in it can be easily read by common computers equipped with USB ports.

K-2 What is the major advantage of e-Cert File USB?

The major advantage of e-Cert File USB is that the e-Cert stored in it can be read directly by common computers equipped with USB ports without the need for installation of any driver or additional equipment.

K-3 Do I need to pay for the e-Cert File USB?

Applicants applying for e-Cert can select e-Cert File USB as e-Cert storage medium at a unit cost of HK$40.

K-4 When was the floppy diskette ceased as e-Cert storage medium?

Hongkong Post Certification Authority has ceased to use floppy diskette as e-Cert storage medium with effect from 1 April 2013.

K-5 Due to the security policy, the USB ports of computers in my office are disabled. How can I read my e-Cert from e-Cert File USB?

It is suggested that you may approach your information technology support team for their advice and assistance.

K-6 I have not chosen e-Cert File USB when I apply for e-Cert. Can I choose to buy it after receiving my e-Cert?

No.


L. E-CERT TOKEN

L-1 What is e-Cert Token?

e-Cert Token is a portable PKCS#11 cryptographic tokens which is a storage medium for Hongkong Post e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status. The e-Cert stored in it can be easily read by computers equipped with USB ports.

L-2 Which types of Hongkong Post e-Cert certificates use e-Cert Token as storage medium?

e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organisational) with "Mutual Recognition" status will only be issued in e-Cert tokens . And each one is mandatory to storage separately.

e-Cert Token is at a price of HK$290 each

L-3 What is the difference between e-Cert Token and e-Cert File USB?

e-Cert Token is a portable PKCS#11 cryptographic token. The e-Cert storedin e-Cert Token cannot be exported to any other storage media. e-Cert File USB is a credit card sized USB flash drive which is a storage medium for Hongkong Post e-Cert. Customer can export their e-Cert in the e-Cert File USB to other storage media.

L-4 What is the difference between e-Cert Token (SafeNet) and e-Cert Token (FEITIAN)? How should I choose?

Hongkong Post Certification Authority provides two types of e-Cert Tokens (i.e. e-Cert Token (SafeNet) and e-Cert Token (FEITIAN)) for e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organization) with "Mutual Recognition" Status Applicants to choose.

Please note that some of the online services currently accepting e-Cert (Personal) with "Mutual Recognition" Status and/or e-Cert (Organisational) with "Mutual Recognition" Status, can only support one type of e-Cert Token. Therefore, before applying, Subscribers need to check with the online service provider which type of e-Cert Token is supported by the online service that accepts e-Cert (Personal) with "Mutual Recognition" Status and/or e-Cert (Organisational) with "Mutual Recognition" Status.

Currently, the details of online services that only accept one of the e-Cert Tokens are listed as follows:

(1) The following online services only accept e-Cert stored in e-Cert Token (SafeNet):

Online Service Provider Service Details
Buildings Department - Electronic Submission Hub (ESH)
https://esh.bd.gov.hk/
  • Account Registration and Login
  • Electronic submission of PDF forms that requires digital signature
Government Logistics Department - Procurement and Contract Management System (PCMS)
https://pcms2.gld.gov.hk/iprod/#/
home?lang-setting=en-US
  • Submission of tender through eTender Box (ETB)

(2) The following online services only accept e-Cert (Personal) with "Mutual Recognition" Status stored in e-Cert Token (FEITIAN):

Online Service Provider Service Details
GUANGZHOU "BUSINESS ONE LINK" FOR STARTING A BUSINESS
https://air.scjgj.gz.gov.cn/v2/
ecGovBizGuangzhouHkSign/#/login
  • Login authentication for residents of HKSAR with HKID card

L-5 How can I read my e-Cert (Personal) with "Mutual Recognition" Status from e-Cert Token?

The e-Cert stored in e-Cert Token can be read directly by computers equipped with USB ports without the need for additional equipment.

L-6 Due to the security policy, the USB ports of computers in my office are disabled. How can i read my e-Cert from e-Cert Token?

It is suggested that you may approach your information technology support team for their advice and assistance.

L-7 Can I change the PIN of the e-Cert Token?

Yes. e-Cert Token (SafeNet) users, the "SafeNet Authentication Client" software enables you to change the PIN of e-Cert Token. Please refer to the software package attached with your e-Cert Token. e-Cert Token (FEITIAN) users, you can use the e-Cert Token (FEITIAN) client tool to change the PIN of the e-Cert Token.

For details, please refer to the user guide (SafeNet) or (FEITAIN) of the e-Cert Token.

Also, you are advised to keep the PIN of your e-Cert Token in safe custody. Hongkong Post CA will not keep the PIN of your e-Cert Token. If the PIN is lost or forgotten, for security reason, you are recommended to revoke your e-Cert, and then apply for a new e-Cert. You will need to pay for the subscription fee as prescribed on the application form.

L-8 My e-Cert Token is damaged and my e-Cert cannot be accessed. What should I do?

You may submit a request to Hongkong Post Certification Authority to revoke your e-Cert, and then apply for a new e-Cert. You will need to pay for the subscription fee as prescribed on the application form.

L-9 What should I do if I lost my e-Cert Token?

For security reason, you are recommended to revoke your e-Cert, and then apply for a new e-Cert accordingly. You will need to pay for the subscription fee as prescribed on the application form.


M. E-CERT (PERSONAL/ORGANISATIONAL) WITH "MUTUAL RECOGNITION" STATUS

M-1 What are the advantages of e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status?

The e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organisational) with "Mutual Recognition" Status are participate in the mutual recognition schemenote under the Arrangement for Mutual Recognition of Electronic Signature Certificates issued by Hong Kong and Guangdong

These e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organisational) with "Mutual Recognition" Status are trusted by Adobe® for signing PDF documents.

Note: Hongkong Post has designated the e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organisational) with "Mutual Recognition" Status to participate in the mutual recognition scheme under the Arrangement for Mutual Recognition of Electronic Signature Certificates issued by Hong Kong and Guangdong. For the specific certificate types with mutual recognition status and the verification method of these certificate types, please refer to the official trust list published by the Economic and Information Commission of Guangdong Province (http://gdii.gd.gov.cn/list/content/post_949021.html) to confirm whether the certificate types have valid mutual recognition status and their validity period. A copy of the entries is also maintained in the trust list of the OGCIO for reference.

M-2 How to apply for e-Cert (Personal/Organisational) with "Mutual Recognition" Status, if I have subscribed e-Cert (Personal) / e-Cert (Organisational)?

Applicants should complete the e-Cert(Personal) with Mutual Recognition Status new application and renewal form / e-Cert(Organisational) with Mutual Recognition Status new application and renewal form and submit the completed forms with the required documents and appropriate application fees in person to any post office.

The previous e-Cert(Personal) / e-Cert(Organisational)can be used till the expire date. The subscribers may choose to renew the subscription period after expiry.

M-3 Which storage media can be chosen for the e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status?

e-Cert (Personal) with "Mutual Recognition" Status and e-Cert (Organisational) with "Mutual Recognition" status will only be issued in e-Cert token (SafeNet) or e-Cert Token (FEITIAN). And each one is mandatory to storage separately.

M-4 Can I choose e-Cert file USB to store my e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status?

No.

M-5 What should I do if I forgot the PIN of my e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status?

You may submit a request to Hongkong Post Certification Authority to revoke your e-Cert, and then apply for a new e-Cert. You will need to pay for the subscription fee as prescribed on the application form.

M-6 Can I choose another type of e-Cert Token to store my e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status when renewal?

Yes. You can use the corresponding renewal form to switch to another type of e-cert Token during renewal. For e-Cert (Personal) with "Mutual Recognition" Status, please download e-cert Token (SafeNet) renewal form (CPos 798AMR-S), e-cert Token (FEITIAN) renewal form (CPos 798AMR-F). For e-Cert (Organisational) with "Mutual Recognition" Status, please download e-cert Token (SafeNet) renewal form (CPos 798FMR-S), e-Cert Token (FEITIAN) renewal form (CPos 798FMR-F).

M-7 Can I store an e-Cert (Personal) with "Mutual Recognition" Status / e-Cert (Organisational) with "Mutual Recognition" Status in both the e-Cert Token (SafeNet) and the e-Cert Token (FEITIAN)?

No. You need to apply for two e-Cert (Personal) with "Mutual recognition" Status/e-Cert (Organisational) with "Mutual Recognition" Status.


N. E-CERT (ORGANISATIONAL) WITH AEOI FUNCTIONS

N-1 If I have subscribed e-Cert (Organisational), how to apply for an e-Cert (Organisational) with AEOI Functions for handling matters relating to automatic exchange of financial account information ("AEOI")?

If you have subscribed an existing e-Cert (Organisational) that is without AEOI Functions, but you want to add AEOI Functions in renewal application, the supplementary application form(s) of e-Cert (Organisational) with AEOI Functions together with the e-Cert (Organisational) renewal form, relevant supporting documents and appropriate application fees shall be submitted in person to any post office.

N-2 I have a prevailing valid e-Cert (Organisational), but not with AEOI Functions. Can it be used to access my AEOI account under the AEOI Portal / CbC Reporting Portal of the Inland Revenue Department ("IRD")?

For accessing the AEOI account under IRD’s AEOI portal / CbC reporting account under IRD’s CbC Reporting Portal, you need to make use of the e-Cert (Organisational) with AEOI Functions.

N-3 Can we apply for e-Cert (Organisational) with AEOI Functions if my organisation does not have Business Registration Certificate?

If the reporting financial institution requires access to the AEOI account / CbC Reporting account under the AEOI Portal of the IRD but does not have a valid Business Registration Certificate, it shall obtain a reference letter issued by IRD and accompany a copy of the letter in place of the Business Registration Certificate in the application of the e-Cert (Organisational) with AEOI Functions.


O. E-CERT (SERVER)

O-1 When applying for e-Cert (Server), which option should I choose?

Applicants may choose the e-Cert (Server) option according to their needs. The following are for reference:

  1. e-Cert (Server) with "Wildcard" feature: suitable to applicants in applying certificates for multiple server names under the same domain. For example, an e-Cert (Server) with "Wildcard" feature issued to *.eCert.gov.hk can be used for all of the following server names:
    • www.eCert.gov.hk
    • eCert.gov.hk
    • mail.eCert.gov.hk
    • www1.eCert.gov.hk
  2. e-Cert (Server) with "Multi-domain" feature: suitable to applicants in applying certificates for multiple server names under different domains. For example, an e-Cert (Server) with "Multi-domain" feature may be used for all of the following server names:
    • www.eCert.gov.hk
    • eCert.gov.hk
    • www.e-Cert.gov.hk
    • www.eCert.hk
  3. e-Cert (Server) without "Wildcard" feature or "Multi-domain" feature: each certificate identifies one server name only, suitable to applicants in applying certificates for only one or a few servers. For example:
    • www.eCert.gov.hk

O-2 What are the minimum requirements to install SHA-256 e-Cert (Server)?

The minimum requirements to install SHA-256 e-Cert (Server) in popular platforms and applications are listed as follow:
System Platform / Application Minimum Requirements
Windows Server 2003 SP2 + KB 938397
Apache Server Dependent on OpenSSL version.(0.9.8o or above)
Microsoft Exchange Server Dependent on Windows Server Version
IBM Domino Server 9.x with Fix Pack
IBM HTTP Server 8.5 (Bundled with Domino 9)
Oracle Weblogic 10.3.1 or above

O-3 When applying for an e-Cert (Server), what are the restrictions in the server names?

  1. e-Cert (Server) without "Wildcard" feature or "Multi-domain" feature: Only one server name is allowed, and the wildcard character ("*") is not allowed in any part of the server name.
  2. e-Cert (Server) with "Wildcard" feature: Only one server name is allowed, and the left-most component of the server name must be a wildcard character ("*").
  3. e-Cert (Server) with "Multi-domain" feature: Up to 50 server names can be specified, and the wildcard character ("*") is not allowed in any part of the server name(s).

Note: All server names must be owned by the Subscriber Organisation.

O-4 What are the advantages of e-Cert (Server) with "Wildcard" feature and "Multi-domain" feature?

e-Cert (Server) with "Wildcard" feature and "Multi-domain" feature have the following advantages:

  • e-Cert (Server) with "Wildcard" feature allows the certificate to be used for all server names at the same domain or sub-domain level owned by the Subscriber Organisation.
  • e-Cert (Server) with "Multi-domain" feature allows the use of the certificate to identify up to 50 server names owned by the Subscriber Organisation. It also allows server names under different domain names owned by the Subscriber Organisation.
  • The certificate includes "digital signature" Key Usage which can be used for server authentication and for establishment of secure communication channels with the server.

Therefore, if the Subscriber Organisation has many server names under the same or different domain names, using e-Cert (Server) with "Wildcard" feature or "Multi-domain" is more effective and flexible.

O-5 How to submit Certificate Signing Request (CSR) for e-Cert (Server) with "Wildcard" feature and "Multi-domain" feature? Is there any difference in the procedures compared with the procedures in submission of CSR for an e-Cert (Server)?

The procedures for submission of Certificate Signing Request (CSR) for e-Cert (Server) with "Wildcard" feature or "Multi-domain" feature are the same as submission of CSR for e-Cert (Server). You only need to submit one CSR for each applied e-Cert (Server) with "Multi-domain" feature or e-Cert (Server) with "Wildcard" feature regardless of the total number of 'Additional Server Name(s)' in the e-Cert (Server) with "Multi-domain" feature or the number of 'Additional Server(s)' in which the e-Cert (Server) with "Wildcard" feature to be installed. You only need to input the server name in the Subject Common Name of the CSR to be submitted, and it is not necessary to specify any 'Additional Server Name(s)'; in the CSR. The 'Additional Server Name(s)' applied in the application will be included in the certificate by the system automatically when the certificate is issued. For more details about submission of CSR, please refer to e-Cert (Server) User Guide

O-6 e-Cert (Server) with "Wildcard" feature or "Multi-domain" feature may be used in multiple servers. Then, how many certificates will be issued to the Subscriber

Only one certificate for each applied e-Cert (Server) with "Wildcard" feature or e-Cert (Server) with "Multi-domain" feature will be issued. Subscriber may copy the certificate for installation in the servers that have been applied in the application form.

O-7 Can I apply for an e-Cert (Server) with both "Multi-domain" feature & "Wildcard" feature in one certificate?

No. An e-Cert (Server) certificate can only have either "Multi-domain" feature or "Wildcard" feature. If you need both of the features, then you have to apply for two e-Cert (Server) certificates for the relevant servers, one for "Multi-domain" feature and the other for "Wildcard" feature.

O-8 In 'Search and Download e-Cert (Server)' function, which server name should be used to search and download the e-Cert (Server) with "Wildcard" feature or "Multi-domain" feature?

For e-Cert (Server) with "Wildcard" feature, you may search the certificate by specifying the server name with or without the wildcard component ("*"). For example, to search for the e-Cert (Server) with "Wildcard" feature issued to *.eCert.gov.hk, you can search for *.eCert.gov.hk or eCert.gov.hk to get the certificate. For e-Cert (Server) with "Multi-domain" feature, you may search the certificate by specifying any one of the server name(s), including server name used as Subject Name or any additional server name(s) in the Subject Alternative Name, in the certificate to search and download the corresponding e-Cert (Server) with "Multi-domain" feature.

O-9 Can I use IP address instead of server name to apply for the e-Cert (Server)?

All e-Cert (Server) certificates do NOT accept any IP address as server name to be included in the certificates.

O-10 How to count 'Additional Servers' for e-Cert (Server) with "Wildcard" feature?

The subscription fee for an e-Cert (Server) with "Wildcard" feature already includes the subscription fee required for installing the certificate in one server (the default server). If the certificate is to be installed in any additional physical server or virtual machine that operates on a separate operating system from the default server, then each such physical server or virtual machine is chargeable.

Example#1:

e-Cert (Server) with "Wildcard" feature installed in two servers - one server is active while the other server is for standby only. The total number of servers installed with e-Cert (Server) with "Wildcard" feature is two, and the number of 'Additional Server' is one.

Example#2:

e-Cert (Server) with "Wildcard" feature installed in one physical server and two servers running on virtual machines, each running under a separate operating system. The total number of servers installed with e-Cert (Server) with "Wildcard" feature is three, and the number of 'Additional Servers' is two.

O-11 As the number of Additional Servers is specified in the application for e-Cert (Server) with "Wildcard" feature, what should be done if the number of Additional Servers changes after the certificate is issued?

If the number of Additional Servers increases and the certificate is still within the validity period, then the subscriber may fill in the application form to increase the number of Additional Servers and pay the subscription fee only for the number of Additional Servers increased. The subscription fee to be paid shall cover the whole validity of the certificate regardless of when the certificate is to be used in the Additional Servers. When the certificate is to be renewed, the subscriber should fill in the total number of Additional Servers and pay the subscription fee for certificate renewal as well as the relevant subscription fee for the total number of Additional Servers.

If the number of Additional Servers decreases, the subscriber can only change the number of Additional Servers during the certificate renewal and pay the subscription fee for certificate renewal as well as the relevant subscription fee for the updated number of Additional Servers.

Subscription fee paid for Additional Servers will not be refunded due to decrease of number of Additional Servers.

O-12 Can I apply for an e-Cert (Server) with "Wildcard" feature with a server name containing more than one wildcard character ("*")

No. One and only one wildcard character ("*") is allowed in the server name of an e-Cert (Server) with "Wildcard" feature, and the wildcard character ("*") must be in the left-most component of the fully qualified domain name of the server name.

O-13 Can I add/remove/alter the server name after an e-Cert (Server) with "Multi-domain" feature is issued?

No. All server names in an e-Cert (Server) with "Multi-domain" feature cannot be changed after the certificate is issued. Subscriber may consider applying for another e-Cert (Server) with relevant option for the changed server names.

O-14 Can I revoke some but not all server names in an e-Cert (Server) with "Multi-domain" feature?

Revocation of an e-Cert (Server) with "Multi-domain" feature can only be applied to all but not some of the server names contained in the certificate. Revocation of an e-Cert (Server) with "Multi-domain" feature will revoke the validity of all server names contained in the certificate.

O-15 What is a CAA record?

The Certification Authority Authorization (CAA) Record, as defined in RFC 6844, allows a domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.

O-16 How does HKPost check CAA records before issuing certificate?

HKPost will check the Certification Authority Authorisation record(s) ("CAA Record") published for the domain name(s) to be identified in the certificate. If a CAA Record exists that does not list HKPost's domain name "eCert.gov.hk" or "hongkongpost.gov.hk" as an authorised issuer domain name, the certificate application will not be proceeded. If no CAA Record exists for the domain name(s) to be identified in the certificate, and no warning nor error messages are encountered in the domain validation checking, HKPost considers that the applicant allows HKPost to issue certificate for the domain name(s).

O-17 How do I configure the CAA Records to allow HKPost to issue certificate for my domain name?

You need to check whether CAA Records have been configured in your Domain Name Servers (DNS). If no CAA record is present and no warning nor error messages are encountered in the domain validation checking, any CA including HKPost is allowed to issue certificate for your domain. If CAA records exist in your DNS, please check and add the following CAA record to allow HKPost to issue certificate for your domain (e.g. example.com):

example.com.  CAA  0  issue   "eCert.gov.hk"
example.com.  CAA  0  issue   "hongkongpost.gov.hk"

O-18 Can I apply for an e-Cert (Server) with Chinese domain name(s)?

Yes. Starting from 1 July 2019, e-Cert (Server) issued under Root CA3 supports Chinese domain name(s) with characters encoded in ISO/IEC 10646.

O-19 Can I apply for an e-Cert (Server) showing Chinese organization name?

Yes. Starting from 1 July 2019, subscriber may choose an e-Cert (Server) showing the organization name and branch name in Chinese during the submission of Certificate Signing Request (CSR).

You cannot change this information after the certificate is issued. For more details about submission of CSR, please refer to e-Cert (Server) User Guide.

O-20 What is the cross-certificate "Hongkong Post Root CA 3" and do I need to install it?

HKPCA deployed a new cross certificate in December 2022 named as "Hongkong Post Root CA 3" ("Cross-Cert 2022") signed by the root certificate "GlobalSign Root CA – R3" with validity up to March 2029 in establishing a trust relationship from Hongkong Post Root CA 3 to the "GlobalSign Root CA - R3". E-Cert (Server) subscribers are required to conduct the following so that their websites/servers installed with e-Cert (Server) will continue to be accessible by the older versions of mobile/desktop devices not yet preloaded with Root CA3 ("Older Devices").

  1. For e-Cert (Server), install the Sub CA certificate "Hongkong Post e-Cert SSL CA 3 - 17" issued by Root CA3 to your applications, such as web servers. For EV e-Cert (Server), install the Sub CA certificate "Hongkong Post e-Cert EV SSL CA 3 – 17" to your applications.
  2. Install the cross-certificate "Hongkong Post Root CA 3" issued by "GlobalSign Root CA – R3" to your applications, such as web servers.

For more detail about Instructions of Installation of Sub CA Certificates, please refer to https://www.ecert.gov.hk/product/ecert/guide/server.html

For more detail about the cross-certificate, please refer to https://www.ecert.gov.hk/product/download/root/index.html

O-21 If I have already installed the cross-certificate "Hongkong Post Root CA 3" published in 2019 signed by Hongkong Post Root CA 1 ("Cross-Cert 2019") with validity end date on 15 May 2023, do I need to replace it with "Cross-Cert 2022" mentioned in O-20? Do I need to replace the e-Cert (Server) as well?

Yes, you are required to replace the "Cross-Cert 2019" in your websites/server with the "Cross-Cert 2022". Please refer to O-20 the reason for the replacement.

The following deliverables are available for download in Hongkong Post CA website:

  1. Cross-Cert 2022;
  2. User Guide published in December 2022 for related installation; and
  3. CPS of e-Cert (Server) updated with information of the "Cross-Cert 2022".

You are not required to replace the e-Cert (Server), except for EV e-Cert (Server). Subscribers of EV e-Cert (Server) have to apply for a new EV e-Cert (Server) to retain the EV treatment in the Older Devices mentioned in O-20 after the expiry of Hongkong Post Root CA1.

O-22 What are the supported web browsers and OS versions for the "Cross-Cert 2022" as mentioned in O-20? For support coverage, what is the difference between "Cross-Cert 2022" and the root certificate "Hongkong Post Root CA3"?

The "Cross-Cert 2022", signed by the root certificate "GlobalSign Root CA – R3" with validity up to March 2029, is trusted by the Older Devices mentioned in O-20 according to the compatibility information as summarised below:

  • Google Chrome and other supported web browsers on Android 3 or above
  • Microsoft Internet Explorer / Edge and other supported web browsers on Windows XP or above
  • Apple Safari and other supported web browsers on iOS 4 or above, MacOS X 10.6.4 or above
  • Mozilla Firefox version 3.6.12 or above on all supported platforms

"Hongkong Post Root CA3" is a trusted root certificate with validity up to 3 June 2042 by major web browsers as summarized below:

  • Google Chrome and other supported web browsers on Android 11 or above
  • Microsoft Internet Explorer / Edge and other supported web browsers on Windows 10 or above
  • Apple Safari and other supported web browsers on iOS 15 or above, iPadOS 15 or above, macOS 12 or above
  • Mozilla Firefox version 68 or above on all supported platforms

O-23 What is private key compromise?

A Private Key is said to be compromised if its value has been disclosed to an unauthorized person, or an unauthorized person has had access to it.

O-24 What should I do if I suspect the private key of my e-Cert (Server) has been compromised?

We strongly recommend that you submit request to revoke your certificate.

O-25 If I have evidence that a private key of an e-Cert (Server) has been compromised, what can I do?

You should submit report to us through the Compromised Key Reporting web page. We will verify the report and revoke the e-Cert(server) in accordance with the procedures in the CPS within 24 hours.

O-26 What is an Extended Validation e-Cert (Server)? How does the validation procedures of Extended Validation e-Cert (Server) differ from existing e-Cert (Server)?

Before issuing an Extended Validation e-Cert (Server) to the organisation, HKPCA will verify the authentication of the legal, physical, and operational existence of the organisation identity in relation to the Applicant in accordance with the Guidelines for the Issuance and Management of Extended Validation Certificates published by the CA/Browser Forum.

O-27 What are the advantages of Extended Validation e-Cert (Server) over existing e-Cert (Server)?

A website installed with Extended Validation e-Cert (Server) will appear in common web browsers with a padlock icon in the address bar. The subscriber organization's name will be displayed for verification when the padlock icon is clicked.


P. BANK-CERT (PERSONAL / CORPORATE / BANK)

P-1 What is a Registration Bank?

A Registration Bank is a Licensed Bank, with valid banking licence issued under the Banking Ordinance (Cap. 155) of the laws of Hong Kong, which has registered with HKPCA and is a Subscriber of Bank-Cert (Bank). A Registration Bank is the agent acting on behalf of their customers for, and Subscriber of, Bank-Cert (Personal) or (Corporate).

P-2 How do I apply for Bank-Cert (Bank) certificate?

Licensed Banks in Hong Kong that would like to subscribe to Bank-Cert (Bank) are required to make prior arrangement with Hongkong Post Certification Authority for issuance of Bank-Cert (Bank). Licensed Banks in Hong Kong interested can contact Hongkong Post Certification Authority hotline at 2921 6633 or email to enquiry@eCert.gov.hk for details.

P-3 How do I apply for a Bank-Cert (Personal)/ Bank-Cert (Corporate) certificate?

Applicants interested can refer to their respective Registration Banks for details.

P-4 What is the difference between the new Bank-Cert (Personal) / Bank-Cert (Corporate) issued from December 2015 and the previous Bank-Cert (Personal) / Bank-Cert (Corporate) issued before March 2010?

The new Bank-Cert (Personal) / Bank-Cert (Corporate) are used exclusively for the Designated Transactions specified opposite the name of that Registration Bank in Appendix E of the Bank-Cert Certification Practice Statement for such type of Bank-Cert.

With effect from 31 March 2010, Hongkong Post Certification Authority has terminated all Registration Authority ("RA") for old version of Bank-Cert operation and ceases to issue old version of Bank-Cert.

P-5 What is the key length of Hongkong Post Bank-Cert certificates?

Bank-Cert (Personal / Bank-Cert (Corporate) / Bank-Cert (Bank) will be issued with 2048-bit RSA key length.

P-6 How many Hongkong Post Bank-Cert certificates can I apply for?

Hongkong Post Certification Authority does not impose limit on the number of Bank-Cert certificates that an individual or corporation may apply, nor the number of Registration Banks the individual or corporation through which the individual or corporation may apply for Bank-Certs. However, the respective Registration Banks may have their own limitation/restriction on the number of Bank-Certs that can be applied via them.

P-7 For how long are Bank-Cert (Personal) / Bank-Cert (Corporate) / Bank-Cert (Bank) valid?

Bank-Cert (Personal) / Bank-Cert (Corporate) / Bank-Cert (Bank) certificates issued with validity periods ranging from 1 to 5 years.

P-8 Can I change the information on a Bank-Cert certificate?

A Bank-Cert, once generated, cannot be changed. If you have changed any information on the certificate such as your name or your e-mail address, you must apply for a new certificate. You should also revoke your existing certificate. For further information, please refer to the Registration Bank.

P-9 Which hash algorithm are supported by Hongkong Post CA Bank-Cert?

SHA-256 Bank-Cert (Personal) / Bank-Cert (Corporate) / Bank-Cert (Bank) will be issued by default.

P-10 What is the difference between Bank-Cert and other types of digital certificate in terms of function?

Bank-Cert (Personal) / Bank-Cert (Corporate) certificates issued via a particular Registration Bank can only be used by the Subscriber in Designated Transactions specified opposite the name of that Registration Bank in Appendix E of the Bank-Cert Certification Practice Statement for such type of Bank-Cert.

P-11 How do I revoke my Hongkong Post Bank-Cert certificate?

Bank-Cert (Personal) / Bank-Cert (Corporate) Revocation Request

Submit a revocation request and subsequent final confirmation to the Registration Bank identified in the certificate by fax, letter mail, email or in-person, depending upon which of these methods the Registration Bank to be contacted can accept, and the Registration Bank will forward such revocation requests to Hongkong Post.

Bank-Cert (Bank) Revocation Request

For revocation of Bank-Cert (Bank), the Authorised Representative of a Registration Bank of Bank-Cert (Bank) may submit a certificate revocation request by giving no less than one month’s notice and subsequent final confirmation to Hongkong Post by fax, letter mail, email or in-person to Hongkong Post Certification Authority.


Q. HONGKONG POST ROOT CA1 ROLLOVER

Q-1 Why is it necessary to perform "Hongkong Post Root CA 1" rollover?

The Root CA "Hongkong Post Root CA 1" is valid for 20 years (15 May 2003 – 15 May 2023) and its private key is used to sign Sub CA certificates for issuing e-Cert. As the maximum validity of e-Cert is 4 years, a new Root CA is required to be in place at least 4 years before the expiry of the current one, for continuation of the Sub CA for issuing certificates with 4 years validity.

Q-2 What will be the arrangement of the certificate issuance and revocation after the Root CA rollover?

The existing Root CA1 and its Sub CAs will cease signing new Sub CA certificates and issuing new e-Certs respectively, and the new Root CA2 and Root CA3 would be used to sign Sub CA certificates and then used to issue e-Certs. The existing Sub CA under Root CA1 will continue to perform revocation of certificates issued by them and issue CRLs until the end of the lifetime of the respective SubCA.

Q-3 What will be the impacts to e-Cert subscribers as a result of the Root CA rollover?

Subscribers with Recognized Certificates issued before the Root CA rollover can continue to use their e-Cert until expiry.

Subscribers with e-Cert (Server) issued after the Root CA rollover may need to install the new SubCA SSL CA3-17. Subscribers with other certificate types issued after the Root CA rollover may need to install the new Root CA2, SubCA2-15 and SubCA2-17 to their applications, such as web browser or web server. The installation of which Sub CA certificates depends on its certificate types, to recognize the new certificate chain.

Q-4 Will there be any change in e-Cert subscription and revocation procedures due to the Root CA rollover?

The e-Cert subscription and revocation procedures will remain unchanged after the Root CA rollover.

Q-5 Our application systems support Hongkong Post e-Cert. May I request for trial certificates and CRLs to perform testing on our applications before the Root CA rollover?

Application providers can contact HKPCA e-Cert Customer Service at 2921 6633 or email to enquiry@eCert.gov.hk to request for trial certificates and access to trial CRLs and repository.

Q-6 Will the existing Root CA continue to update and publish ARLs after the Root CA rollover?

The existing Root CA will continue to update and publish ARLs after the Root CA rollover, until the end of the lifetime of the existing Root CA on 15 May 2023.

Q-7 According to Implementation Plan for Root CA "Hongkong Post Root CA 1" Rollover, for the period from 1 February 2019 to 31 March 2019, in addition to issuance of e-Cert (Organisational) under Root CA1 to subscribers of Government B/Ds, e-Cert (Personal) and e-Cert (Organisational) under Root CA1 could also be issued to subscribers in relation to designated Government e-Services. List of designated Government e-Services is maintained by HKPCA and relevant Government B/Ds shall discuss with HKPCA if inclusion of Government e-Services onto this list is required. Which designated Government e-Services are on the list maintained by HKPCA?

List of designated Government e-Services maintained by HKPCA includes (1) Government Electronic Trading Services (including TDEC, EMAN, DCP and CO) ; (2) E-Service for Strategic Commodities Licensing (E-SC).