Date: 1 September 2011
Transition Plan for Issuance of only 2048-bit RSA Key Length e-Cert (Server)
After a recommendation made by the US National Institute of Standards and Technology (NIST), the industry is moving to use 2048-bit RSA keys for cryptographic protection. To be in line with industry practice, Hongkong Post Certification Authority will issue only 2048-bit RSA key length e-Cert (Server) in phases. The transition plan is set out as follows:
Date | Event |
Starting from 1 September 2011 | Trial e-Cert (Server) with 2048-bit key length for testing is available to subscribers upon request. |
Starting from 1 December 2011 | e-Cert (Server) with a 2-year validity period will be issued only with 2048-bit RSA key length. e-Cert (Server) with a 1-year validity period will be issued with either 1024-bit or 2048-bit RSA key length. |
Starting from 1 December 2012 | All e-Cert (Server) will be issued only with 2048-bit RSA key length. |
From 1 December 2011 onwards, e-Cert (Server) subscribers should submit their Certificate Signing Request (CSR) with appropriate key length for certificate generation according to the transition plan and validity period of the certificate.
As only 2048-bit RSA key length e-Cert (Server) will be issued starting from 1 December 2012, e-Cert (Server) subscribers should prepare for the use of 2048-bit RSA keys of e-Cert (Server) and evaluate the implications, if any, to their servers and related client applications.
For enquiries, please call Hongkong Post Certification Authority hotline 2921 6633 or email to enquiry@hongkongpost.gov.hk.
Relevant Questions and Answers
1. Why is it necessary to change to the use of 2048-bit RSA key length for e-Cert (Server)?
The change is in line with industry practice to provide higher level of security in performing electronic transactions.
2. What will be the impacts to the existing subscribers of e-Cert (Server)?
As only 2048-bit RSA key length e-Cert (Server) will be issued starting from 1 December 2012, existing subscribers of e-Cert (Server) with 1024-bit RSA key length should prepare for the use of 2048-bit RSA keys of e-Cert (Server) upon certificate renewal.
The latest versions of common web servers such as Microsoft IIS and Apache already support 2048-bit RSA key. For the support of 2048-bit RSA key of your web servers, please contact the respective vendors for details.
3. Is there any impact to users of web browser?
The latest versions of common web browsers such as Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Google Chrome already support 2048-bit RSA key.
4. Will there be any change in e-Cert (Server) subscription and revocation procedures due to the transition?
The e-Cert (Server) subscription and revocation procedures will remain unchanged. However, e-Cert (Server) subscribers will be required to generate and submit Certificate Signing Request (CSR) with the appropriate key length for certificate generation according to the transition plan and validity period of the certificate.
5. Our servers use Hongkong Post e-Cert (Server). May I request for trial certificates to perform testing on our servers?
Subscribers can call Hongkong Post Certification Authority hotline 2921 6633 or email to enquiry@hongkongpost.gov.hk to request for trial certificates for testing.