Hongkong Post e-Cert
Home Contact Us Sitemap 繁體中文 简体中文 Text Mode
A A A


Certizen Limited

Hongkong Post

Level Double-A conformance, W3C WAI Web Content Accessibility Guidelines 2.0

 
 

Date: 6 January 2010

Hongkong Post Certification Authority Sub CANote 1 Rollover on 26 February 2010

  1. IMPLEMENTATION PLAN FOR SUB CA "HONGKONG POST E-CERT CA 1" ROLLOVER
  2. HONGKONG POST CERTIFICATE REVOCATION LIST
  3. RELEVANT QUESTIONS AND ANSWERS

Note 1: Sub CA refers to the subordinate certification authority certificate which is issued by the Root CA "Hongkong Post Root CA 1" and is used to sign the Hongkong Post Recognized Certificates.

A. Implementation Plan for Sub CA "Hongkong Post e-Cert CA 1" Rollover
 

On 16 June 2009, Hongkong Post Certification Authority announced the arrangement to perform rollover of the Sub CA "Hongkong Post e-Cert CA 1" in February 2010. The implementation plan for the Sub CA rollover is set out herein as follows:

Date Event
20 January 2010 CRLs generated by the new Sub CA are available in repository for pre-rollover test.
26 February 2010

Sub CA rollover

Relying Parties should be aware of the following areas related to the Sub CA rollover:

  • The new Sub CA will be named as "Hongkong Post e-Cert CA 1 - 10".
  • With effect from 26 February 2010, the new Sub CA will commence to sign and issue Recognized Certificates to applicants and will update and publish CRLs.
  • The existing Sub CA "Hongkong Post e-Cert CA 1" will cease to issue Recognized Certificates with effect from 26 February 2010, but will continue to update and publish CRLs until end of its lifetime on 15 May 2013.
  • The revocation information of Recognized Certificates will be updated and published in the relevant CRLs published by the existing and new Sub CA. The locations of the CRLs can be found in the "CRL Distribution Points" field of the certificates. For more details, please refer to Section B of this announcement.
  • An upgraded version of e-Cert Control Manager software will be available to support e-Cert (Personal) issued by both existing and new Sub CA.

Relying Parties should ensure the relying applications be able to support Recognized Certificates and CRLs issued by the existing and new Sub CA after the Sub CA rollover.

Meanwhile, relying parties can contact Hongkong Post CA hotline 2921 6633 or email to [email protected] for any assistance on supporting Hongkong Post Recognized Certificates signed by the new Sub CA.

 
B. Hongkong Post Certificate Revocation List (CRL)
 

Under normal circumstances, Hongkong Post will publish the latest CRL as soon as possible after the update time mentioned below. Hongkong Post may need to change the updating and publishing schedule of the CRL without prior notice if such changes are considered to be necessary under unforeseeable circumstances.

Certificate Revocation List supported by "Hongkong Post e-Cert CA 1 - 10"

Hongkong Post will update and publish the following Certificate Revocation Lists (CRLs) issued by the Sub CA "Hongkong Post e-Cert CA 1 - 10" containing information of suspended or revoked e-Certs and Bank-Certs 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time (i.e. 01:15, 06:15 and 11:00 Greenwich Mean Time (GMT or UTC)):-

  1. Partitioned CRLs that contain Information of suspended or revoked certificates in groups. Each of the partitioned CRLs is available for public access at the following locations (URLs):
    1. e-Cert (Personal) :
      http://crl1.hongkongpost.gov.hk/crl/eCertCA1-10CRL1_<xxxxx>.crl
      where <xxxxx> is a string of five alphanumeric characters.
    2. e-Cert (Organisational), e-Cert (Encipherment) and all Bank-Certs :
      http://crl1.hongkongpost.gov.hk/crl/eCertCA1-10CRL2.crl
    3. e-Cert (Server) :
      The information of suspended or revoked e-Cert (Server) certificates will only be published in the full CRL.
  2. Full CRL that contains Information of all suspended or revoked certificates that are issued by the Sub CA "Hongkong Post e-Cert CA 1 - 10". The Full CRL is available at :-
    • http://crl1.hongkongpost.gov.hk/crl/eCertCA1-10CRL1.crl or
    • ldap://ldap1.hongkongpost.gov.hk (port 389, cn=Hongkong Post e-Cert CA 1 - 10 CRL1, o=Hongkong Post, c=HK)

Certificate Revocation List supported by "Hongkong Post e-Cert CA 1"

The Sub CA "Hongkong Post e-Cert CA 1" will cease to issue Recognized Certificates with effect from 26 February 2010, but will continue the existing practice to issue the following Certificate Revocation Lists (CRLs) containing information of suspended or revoked e-Certs and Bank-Certs 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time (i.e. 01:15, 06:15 and 11:00 Greenwich Mean Time (GMT or UTC)) until its expiry:-

  1. Partitioned CRLs that contain Information of suspended or revoked certificates in groups. Each of the partitioned CRLs is available for public access at a location (URL) specified in the "CRL Distribution Points" field of each certificate issued:
    1. e-Cert (Personal) :
      http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL1_<xxxxx>.crl
      where <xxxxx> is a string of five alphanumeric characters.
    2. For other types of e-Cert and Bank-Cert :
      http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL2.crl
  2. Full CRL that contains Information of all suspended or revoked certificates. The Full CRL is available at :-
    • http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL1.crl or
    • ldap://ldap1.hongkongpost.gov.hk (port 389, cn=Hongkong Post e-Cert CA 1 CRL1, o=Hongkong Post, c=HK)
 
C.

Relevant Questions and Answers

 

Relevant questions and answers related to Sub CA rollover can be found in Section B of the announcement on 16 June 2009. Further questions and answers related to Sub CA rollover can be referred as follows:

1. Will there be any services affected for the Sub CA rollover on 26 February 2010?

HKPCA website and online services will be under maintenance between 11:00 p.m. 25 February 2010 and 1:00 a.m. 26 February 2010 for two hours. However, CRLs and repository services will not be affected during the Sub CA rollover process.

2. Will the existing Sub CA continue to update and publish CRLs after the Sub CA rollover?

Yes. The existing Sub CA will continue to update and publish CRLs until end of its lifetime on 15 May 2013.