Main ContentDigital Certificates for Electronic Transactions
User Journey of Using Digital Certificates
- I want to apply for digital certificates
- I want to submit government applications by using digital certificate
- I want to check online repository and Certificate Revocation List (CRL)
- I want to secure my website by using Secure Socket Layer (SSL) server certificate
- I want to report loss of my digital certificate
In Hong Kong, there are currently two recognized certification authorities (RCAs) issuing recognized digital certificates. Each RCA has its own application procedures for its customers to apply for their types of recognized digital certificates required. Generally speaking, if you want to apply for digital certificates, you must complete and submit the required application form online or in person with face to face verification and present relevant documentary proof of the applicant's identity (e.g. HKID for personal certificate, business registration for organisational certificates), together with appropriate application fees as published in the RCA’s website or in its corresponding Certification Practice Statement (CPS), for processing. The RCAs will deliver the digital certificates to the applicants and publish them in the online repository for each successful application.
To illustrate a user journey for obtaining digital certificate from a RCA, let us take an application for e-Cert (Personal) from the public CA, Hongkong Post Certification Authority (HKPCA) as an example:
Forms and procedures for application and renewal for types of digital certificates issued by the two RCAs in Hong Kong are as follows:
There are a number of e-Government services on GovHK that accept digital certificates for authentication and digital signing. You may find them in the following links:
Let us take the Application for Renewal of Vehicle Licence of the Transport Department as an example for submitting Government application by using digital certificate (http://www.gov.hk/en/apps/tdrenewvehiclelicence.htm):
At the first step, you need to authenticate yourself using your own digital certificate. Please select the type (e.g. personal certificate) of your digital certificate and its location, and input your personal information (i.e. HKID number for personal certificate). If your digital certificate is stored in your Hong Kong Smart ID Card, you have to insert your ID Card into a card reader. After entering the personal identification number (PIN) correctly, the system will authenticate you to proceed to subsequent application procedures.
You can then complete the necessary information for renewal of the vehicle licence. Upon confirmation of all information entered, you will be prompted to digitally sign the submission as shown above. By entering the PIN of your certificate, you then sign and submit the application for renewal of your vehicle licence.
When you want to send encrypted email to a recipient, you have to get his/her digital certificate and check its validity. Both recognized CAs provide you with a web interface to online search and/or download a subscriber’s digital certificate and to check whether it has been revoked or suspended.
To illustrate how to obtain a valid digital certificate through the HKPCA's online repository as an example, you have to submit the recipient’s surname and given name (say, Amy Tam) or her email for searching. The searching results will show you a list of digital certificates that Amy subscribed before. You have to check and select the one which is not yet expired for downloading in order to send encrypted email to her.
A valid digital certificate may be suspended or revoked due to some other reasons. To check whether Amy’s digital certificate is suspended or revoked, you have to search the CRLs issued by HKPCA (ldap://ldap1.hongkongpost.gov.hk) by entering Amy’s name or her email address. If the searching result is nil, you can proceed to use Amy’s digital certificate for encrypting your email and sending to her.
If you want to build a website for transacting e-business in a secure channel, you have to apply for and install a SSL server certificate at your website. To apply for a recognized server certificate from HKPCA as an example, please refer to "I want to apply for digital certificates" for general understanding and then follow the detailed procedures for applying e-Cert (Server).
HKPCA has offered two optional enhanced features of e-Cert (Server) "Wildcard" and "Multi-domain". You can select and apply for the e-Cert (Server) with "Wildcard" or "Multi-domain" feature. "Digital Signature" key usage will be enabled in the e-Cert (Server) when either one of the above features is chosen. The digital signatures generated by the e-Cert (Server) with "Digital Signature" key usage enabled are to be used only for server authentication and for establishment of secure communication channels with the server.
After submitting the e-Cert (Server) application to HKPCA, you will be notified by email of the approval status. The email also requests you to submit a Certificate Signing Request (CSR) with the key pair generated for your server(s) concerned for issuance of the e-Cert (Server). HKPCA will also send out a PIN to you via postal mail, which will be used as an authentication for submitting CSR to HKPCA via its website.
Basing on the CSR submitted, HKPCA validates the details, digitally sign and issue the e-Cert (Server), and publish it on the online repository. You can then download your e-Cert (Server) from HKPCA website and install it for your website.
Please note that different brands and versions of web servers have their own installation procedures for installing the SSL server certificate. Please refer to following links for the specific installation guides:
If your digital certificate is lost, damaged or stolen, you should make a request to your RCA to revoke your digital certificate immediately. Most RCAs provide various means for the submission of the request. For example, Digi-Sign Certification Services Limited provides a Revocation Request Form for you to download and submit by post or in person, whereas HKPCA provides both a traditional way of downloading the Certificate Revocation Request Form as well as an online Application for Certificate Revocation for you to submit your revocation request on the web.
Upon receipt of your confirmation of revocation request, your digital certificate will be revoked, and the validity of the certificate is permanently terminated. You will also receive a notice of revocation from HKPCA via email.