Date: 5 December 2018
Hongkong Post Certification Authority Root CA Rollover Plan
- IMPLEMENTATION PLAN FOR ROOT CA "HONGKONG POST ROOT CA 1" ROLLOVER
- HONGKONG POST CERTIFICATE REVOCATION LIST, AUTHORITY REVOCATION LIST AND ONLINE CERTIFICATE STATUS PROTOCOL (OCSP) RESPONSE
A. Implementation Plan for Root CA "Hongkong Post Root CA 1" Rollover
Hongkong Post Certification Authority (HKPCA) is the first Recognized Certification Authority in Hong Kong under the Electronic Transactions Ordinance (Cap. 553) ("ETO") since January 2000.
Since 15 May 2003, the existing Root CA of HKPCA "Hongkong Post Root CA 1" ("Root CA1") has been used to sign Sub CA certificates which are used for issuing the Hongkong Post e-Cert, including e-Cert (Personal), e-Cert (Organisational), e-Cert (Encipherment), e-Cert (Organisational Role) and e-Cert (Server). The lifespan of Root CA1 is 20 years.
As Root CA1 will expire on 15 May 2023, in order to continue issuing e-Cert with the maximum validity period of 4 years, HKPCA will perform rollover of the Root CA1 to Root CA "Hongkong Post Root CA 2" ("Root CA2") and "Hongkong Post Root CA 3" ("Root CA3") according to the schedule below.
Date | Event |
---|---|
Starting from 5 December 2018 | Trial e-Cert certificates are available to Relying Parties upon request. |
1 February 2019 | e-Cert (Personal) / e-Cert (Organisational) / e-Cert (Encipherment) / e-Cert (Organisational Role) will be issued under Root CA2Note (i), except for (i) applications of e-Cert (Organisational) from Government Bureau/Departments (B/Ds) subscribers, or (ii) e-Cert (Personal) / e-Cert (Organisational) subscribers in relation to designated Government e-ServicesNote (ii).
For Government B/Ds subscribers or subscribers in relation to designated Government e-Services, e-Cert (Personal) / e-Cert (Organisational) continue to be issued under Root CA1Note (iii). |
1 April 2019 | For Government B/Ds subscribers or subscribers in relation to designated Government e-Services, e-Cert (Personal) / e-Cert (Organisational) will be issued under Root CA2Note (i)(iii). |
1 July 2019 | e-Cert (Server) will be issued under Root CA3Note (iv). |
Note (i): There are two Sub CAs under Root CA2, namely "Hongkong Post e-Cert CA 2 - 15" ("SubCA2-15") and "Hongkong Post e-Cert CA 2 - 17" ("SubCA2-17"). The following eCert will be issued under two Sub CAs after rollover as follows:
Root CA | Sub CA | e-Cert Type |
---|---|---|
Root CA 2 | Sub CA 2-15 |
|
Sub CA 2-17 |
|
Note (ii): e-Cert (Organisational) from Government B/Ds subscribers or e-Cert (Personal) / e-Cert (Organisational) subscribers in relation to designated Government e-Services will be issued by existing SubCA1-10 while all e-Cert (Personal) with MR Status and e-Cert (Organisational) with MR Status will be issued by new SubCA2-15.
Note (iii): If exception is required, Government B/Ds subscribers or subscribers in relation to designated Government e-Services shall discuss with HKPCA with justification and cases will only be considered on a case-by-case basis. List of designated Government e-Services is maintained by HKPCA and relevant Government B/Ds shall discuss with HKPCA if inclusion of Government e-Services onto this list is required. The indication of subscription for the concerned e-Cert (Personal) / e-Cert (Organisational) in relation to the designated Government e-Services should be clearly stated in the e-Cert application form.
Note (iv): The Sub CA under Root CA3, namely "Hongkong Post e-Cert SSL CA 3 - 17" ("SubCA SSL3-17"), will be used for issuing e-Cert (Server) after rollover.
Relying Parties should be aware of the following areas related to Root CA rollover:
- The existing Root CA1 and its SubCAs will continue to update and publish ARL and CRLs, and sign OCSP responses until end of their lifetime on 15 May 2023.
- The revocation information of e-Cert will be updated and published in the relevant CRLs published by the existing and new Sub CAs. The locations of the CRLs can be found in the "CRL Distribution Points" field of the e-Certs. If the e-Cert supports OCSP, the OCSP response will be served by the relevant OCSP responder of the existing and new Sub CAs. For more details, please refer to Section B below.
Relying Parties should ensure the relying applications be able to support e-Cert, CRLs and OCSP responses issued by the existing and new Sub CAs under existing and new Root CA. Relying Parties are recommended to complete the trial testing by 31 January 2019 and HKPCA will provide necessary support for testing.
Subscribers with e-Cert issued before the Root CA1 rollover can continue to use their digital certificates until expiry.
Meanwhile, relying parties can contact HKPCA e-Cert Customer Service at 2921 6633 or email to enquiry@eCert.gov.hk for any assistance on supporting Hongkong Post e-Cert signed by the Sub CAs under new Root CAs.
B. Hongkong Post Certificate Revocation List, Authority Revocation List and Online Certificate Status Protocol (OCSP) Response
Certificate Revocation List (CRL) supported by new Sub CAs
HKPCA updates and publishes Certificate Revocation Lists (CRLs) 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time (i.e. 01:15, 06:15 and 11:00 Greenwich Mean Time (GMT or UTC)).
HKPCA updates and publishes CRL issued by SubCA 2-15, SubCA2-17 and SubCA SSL CA3-17 containing information of suspended or revoked e-Certs:-
- Partitioned CRLs that contain information of suspended or revoked certificates in groups. Each of the partitioned CRLs is available for public access at the following locations (URLs):
- e-Cert (Personal) with MR Status issued by SubCA 2-15:
http://crl1.eCert.gov.hk/crl/eCertCA2-15CRL1_<xxxxx>.crl issued by the Sub CA "Hongkong Post e-Cert CA 2 - 15" where <xxxxx> is a string of five alphanumberic characters. - e-Cert (Organisational) with MR Status and e-Cert (Organisational Role) issued by SubCA 2-15:
http://crl1.eCert.gov.hk/crl/eCertCA2-15CRL2.crl issued by the Sub CA "Hongkong Post e-Cert CA 2 - 15" - e-Cert (Personal) issued by SubCA2-17:
http://crl1.eCert.gov.hk/crl/eCertCA2-17CRL1_<xxxxx>.crl issued by the Sub CA "Hongkong Post e-Cert CA 2 - 17" where <xxxxx> is a string of five alphanumberic characters. - e-Cert (Organisational) and e-Cert (Encipherment) issued by SubCA2-17:
http://crl1.eCert.gov.hk/crl/eCertCA2-17CRL2.crl issued by the SubCA2-17 - For e-Cert (Server), the information of revoked e-Cert (Server) certificates will only be published in the full CRL.
- e-Cert (Personal) with MR Status issued by SubCA 2-15:
- Full CRL that contains information of all suspended or revoked certificates that are issued by SubCA 2-15, SubCA2-17 and SubCA SSL CA3-17 respectively. Each of the full CRLs is available at the following locations (URLs):
- e-Cert (Personal) with MR Status, e-Cert (Organisational) with MR Status and e-Cert (Organisational Role) issued by SubCA 2-15:
http://crl1.eCert.gov.hk/crl/eCertCA2-15CRL1.crl or
ldap://ldap1.eCert.gov.hk (port 389, cn=Hongkong Post e-Cert CA 2 - 15 CRL1, o=Hongkong Post, c=HK) - e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) issued by SubCA2-17:
http://crl1.eCert.gov.hk/crl/eCertCA2-17CRL1.crl or
ldap://ldap1.eCert.gov.hk (port 389, cn=Hongkong Post e-Cert CA 2 - 17 CRL1, o=Hongkong Post, c=HK) - e-Cert (Server) issued by SubCA SSL CA3-17:
http://crl1.eCert.gov.hk/crl/eCertSCA3-17CRL1.crl or
ldap://ldap1.eCert.gov.hk (port 389, cn=Hongkong Post e-Cert SSL CA 3 - 17 CRL1, o=Hongkong Post, c=HK)
- e-Cert (Personal) with MR Status, e-Cert (Organisational) with MR Status and e-Cert (Organisational Role) issued by SubCA 2-15:
Authority Revocation List (ARL) supported by new Root CAs
HKPCA updates and publishes the Authority Revocation Lists (ARL) containing information of suspended or revoked Sub CA certificates. HKPCA shall update and publish the ARL annually before its next update date or when necessary. The latest ARL is available at the following location (URLs):
- SubCA 2-15 and SubCA 2-17 issued by Root CA2:
http://crl1.eCert.gov.hk/crl/RootCA2ARL.crl or
ldap://ldap1.eCert.gov.hk (port 389, cn=Hongkong Post Root CA 2, o=Hongkong Post, c=HK) - SubCA SSL CA3-17 issued by Root CA3:
http://crl1.eCert.gov.hk/crl/RootCA3ARL.crl or
ldap://ldap1.eCert.gov.hk (port 389, cn=Hongkong Post Root CA 3, o=Hongkong Post, c=HK)
Online Certificate Status Protocol (OCSP) Response supported by new Root CA3 and SubCA SSL3-17
HKPCA has delegated OCSP signing for the root CAs and the following Sub CAs to an OCSP responder by issuing the respective OCSP signer's certificate containing the subject name as follows:
Root CA
Certificate subject name (CN) | OCSP signer's certificate subject name (CN) |
---|---|
"Hongkong Post Root CA 3" | "Hongkong Post Root CA 3 OCSP Responder" |
Sub CA
Certificate subject name (CN) | OCSP signer's certificate subject name (CN) |
---|---|
"Hongkong Post e-Cert SSL CA 3 - 17" | "Hongkong Post e-Cert SSL CA 3 - 17 OCSP Responder" |
Furthermore, a unique OID "1.3.6.1.4.1.16030.1.6" is assigned to the OCSP responders and specified in the field "Certificate Policies" of the OCSP signer's certificate.
Certificate Revocation List supported by existing Sub CAs and Authority Revocation List supported by existing Root CA
The existing SubCA1-10 and SubCA1-15 will cease to issue end entity certificates with effect from 1 April 2019 and 1 July 2019 respectively. However, they will continue to issue the Certificate Revocation Lists (CRLs) containing information of suspended or revoked e-Certs 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time (i.e. 01:15, 06:15 and 11:00 Greenwich Mean Time (GMT or UTC)) until their expiry.
The existing Root CA1 will also continue to issue the Authority Revocation List (ARL) containing information of suspended or revoked Sub CA certificates annually before its next update date or when necessary, until its expiry.
Root CA1 and SubCA1-15 will also continue to provide OCSP response until their expiry.
For enquiries, please call Hongkong Post Certification Authority e-Cert Customer Service at 2921 6633 or email to enquiry@eCert.gov.hk