Hongkong Post e-Cert
Home Contact Us Sitemap 繁體中文 简体中文 Text Mode
A A A


Certizen Limited

Hongkong Post

Level Double-A conformance, W3C WAI Web Content Accessibility Guidelines 2.0

 
 

Date: 16 June 2009

Hongkong Post Certification Authority Sub CANote 1 Rollover in February 2010

  1. SUB CA "HONGKONG POST E-CERT CA 1" ROLLOVER
  2. RELEVANT QUESTIONS AND ANSWERS

Note 1: Sub CA refers to the subordinate certification authority certificate which is issued by the Root CA "Hongkong Post Root CA 1" and is used to sign the Hongkong Post Recognized Certificates.

A. Sub CA "Hongkong Post e-Cert CA 1" Rollover
 

Hongkong Post Certification Authority is the first recognized certification authority in Hong Kong under the Electronic Transactions Ordinance (Cap. 553) ("ETO") since January 2000.

The existing Sub CA "Hongkong Post e-Cert CA 1" that has been used to sign the Hongkong Post e-Cert and Bank-Cert ("Recognized Certificates") since 15 May 2003, will be expired on 15 May 2013.

In order to continue issuing Recognized Certificates with the maximum validity period of 3 years, Hongkong Post CA will perform rollover of the Sub CA according to the schedule below.

Date Event
Starting from 16 June 2009 Trial certificates, CRLs and repository services are available to Relying Parties upon request.
Early February 2010 * CRLs generated by the new Sub CA are available in repository for pre-production test.
End of February 2010 *

Sub CA rollover

* The concrete schedule will be announced in due course.

Relying Parties should be aware of the following areas related to the Sub CA rollover:

  • The new Sub CA will be named as "Hongkong Post e-Cert CA 1 - 10"
  • All Recognized Certificates issued after the Sub CA rollover will be signed by the new Sub CA
  • Recognized Certificates signed by the new Sub CA will have a new certificate format
  • CRLs of both existing and new Sub CA will be generated
  • The Repository will contain all accepted Recognized Certificates signed by the existing and new Sub CA
  • An upgraded version of e-Cert Control Manager software will be released to support e-Cert (Personal) signed by both existing and new Sub CA

Relying Parties should evaluate the implications due to the Sub CA rollover and ensure the relying applications be able to support Recognized Certificates and CRLs issued by the existing and new Sub CA. Relying Parties are recommended to complete the trial testing by 30 November 2009 and Hongkong Post CA will provide necessary support for testing.

Subscribers with Recognized Certificates issued before the Sub CA rollover can continue to use their digital certificates until expiry.

Meanwhile, relying parties can contact Hongkong Post CA hotline 2921 6633 or email to enquiry@hongkongpost.gov.hk for any assistance on supporting Hongkong Post Recognized Certificates signed by the new Sub CA.

Hongkong Post Certification Authority

 
B. Relevant Questions and Answers
 

1. Why is it necessary to perform "Hongkong Post e-Cert CA 1" rollover?

The Sub CA "Hongkong Post e-Cert CA 1" is valid for 10 years (15 May 2003 - 15 May 2013) and its private key is used to sign certificate with the maximum validity period of 3 years. A new Sub CA is required to be in place at least 3 years before the expiry of the current one, for continuation of issuing certificates with 3 years validity.

2. What will be the arrangement of the certificate issuance and revocation after the Sub CA rollover?

After the completion of Sub CA rollover, the existing Sub CA "Hongkong Post e-Cert CA 1" will cease to issue Recognized Certificates, and the new Sub CA "Hongkong Post e-Cert CA 1 - 10" will be used to issue Recognized Certificates. Both the existing and new Sub CA will continue to perform revocation of certificates issued by them and issue CRLs until the end of the lifetime of the respective Sub CA.

3. What will be the impacts to e-Cert subscribers as a result of the Sub CA rollover?

Subscribers with Recognized Certificates issued before the Sub CA rollover can continue to use their e-Cert until expiry.

Subscribers with Recognized Certificates issued after the Sub CA rollover may need to install the new Sub CA to their applications, such as web browser or web server, to recognize the new Sub CA. A new version of e-Cert Control Manager is required to access e-Cert on Smart ID Card. (Refer to point 4 for more detail)

4. What are the impacts to subscribers of e-Cert on Smart ID Card?

The current e-Cert Control Manager ("eCM") software (version 2.1.8 Build 6) can only recognize e-Cert issued by the existing Sub CA "Hongkong Post e-Cert CA 1". A new version of e-Cert Control Manager will be released to support both the existing and the new Sub CA. After the Sub CA rollover, subscribers with e-Cert (Personal) issued by the new Sub CA have to install or upgrade to the latest version of eCM in order to continue using their e-Cert on Smart ID Card. However, it is not necessary to upgrade eCM to the latest version for using their e-Cert which is issued before the Sub CA rollover.

5. Will there be any change in e-Cert subscription and revocation procedures due to the Sub CA rollover?

The e-Cert subscription and revocation procedures will remain unchanged after the Sub CA rollover.

6. Our application systems support Hongkong Post e-Cert. May I request for trial certificates and CRLs to perform testing on our applications before the Sub CA rollover?

Application providers can contact Hongkong Post CA hotline 2921 6633 or email to enquiry@hongkongpost.gov.hk to request for trial certificates and access to trial CRLs and repository.