Student View Knowledgebase
ITSC The Chinese University of Hong Kong Information Technology Services Centre 資訊科技服務處 香港中文大學 Information Technology Services Centre User Areas Network Services Research and Teaching Computing Computer Accounts About ITSC Application Systems Departmental IT Support Contact ITSC Policies and Guidelines Site Index ITSC Information Security Quick Links for Student Quick Links for Staff CUHK
About Us Accounts Department IT Research & Teaching Information Security Network Services Applications User Area
bullet Alerts, News and Events
bullet Good Practices for
bullet General Users
bullet Technical Professionals (Intranet Only)
bullet Information Security Policies (Intranet Only)
bullet Useful Tools and Links
bullet Anti-virus Software - Kaspersky
bullet CUHK Certificate Authority (CA)
bullet Introduction to PKI
  bullet The CUHK Certificate Authority
  bullet How to apply for a CUHK Digital Certificate?
  bullet How to use a CUHK Digital Certificate?
  bullet Web-applications Using HKPost Digital Certificate
  bullet Security Issues
  bullet FAQ
  bullet Others
bullet Central Authentication and Directory Service
bullet More...
bullet FAQ
bullet Glossary
bullet Report IS incidents
The CUHK Certificate Authority

The CUHK Certificate Authority (CA), operated by ITSC, issues digital certificates to CUHK staff and students. Although CUHK CA is not recognized by the HKSAR Government as a public CA, the certificates issued could be used within CUHK to enhance the security of communications in various CU related computer applications.

  1. Types of Certificates

    A. CUHK CA issues the following 3 types of digital certificates:

    Certificate type Used by ... Usage
    Client Certificate A person Digitally sign e-mail, encrypt/derypt email
    Server Certificate A computer Enable SSL in web sites, proof web site identity
    Object-signing Certificate A department/unit which develop computer programs Proof the authenticity of ActiveX controls and Java applets
    1. The validity period of Client Certificates is the shortest period among the followings:
      1. 3 years from application
      2. (for students) 2 months after graduation
      3. (for contract staff) 2 months after contract end-date
    2. Server Certificates and Object-signing Certificates are valid on 31 Dec 2015.
      Starting from 1 Jun, 2015, the expiry date of all new and renewed CUHK Server Certificate will be set as 31 Dec, 2015. This is because CUHK Server Certificates will be gradually sunset and be decommissioned on 31 Dec, 2015. (Details)

    3. Eligible users have to renew the certificates before they expire.
  2. B. Hongkong Post Digital Certificates

    Some of our web servers and web-based applications have installed with Hongkong Post Digital Cerfitcates. Please click here for details.

  3. Fingerprint of CUHK Root CA Certificate

    In order to operate smoothly with CUHK CA issued digital certificates, you need to install the CUHK Root CA Certificate into your Internet browsers and e-mail applications. By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically. So it is very important to verify that the root certificate you are installing is genuine, not a fake root certificate generated by someone with malicious intention.

    The procedures for installing the Root Certificate for different programs are available in the section - How to use a CUHK Digital Certificate?

    The genuine CUHK Root CA Certificate has the following information:

    Operation Period 12th Jun, 2000 to 7 Jun, 2020
    Certificate Fingerpirnt  
    using sha1 algorithm: 0C0D D166 33B4 0839 5995 7237 A0C2 2A45 1CDB 119F
    using MD5 algorithm: 93:25:48:D8:40:7C:B1:4A:5E:F5:A4:02:C5:D4:4D:07

  4. Key backup and recovery

    When you enroll for a CUHK Digital Certificate, you can choose to generate the private/public key pair yourself, or let ITSC to generate it for you.

    Key generation Pros Cons
    By yourself (e.g. with Internet Explorer or Netscape)
    1. Only you can access your private key.
    2. You can select a different (e.g. longer) key length for the key pair. A longer key usually means higher security.
    1. You have to backup your key pair manually and store in a secure place.
    2. If you lost your private key, you will not be able to decrypt old email (or any documents encrypted with your old certificate) any more.
    3. If you select a key length larger than 1024 bits, the private key cannot be stored on CU Link card.
    By ITSC
    1. ITSC will store your private key securely. If you lost your private key, ITSC can recover it from the backup copy.
    1. The key length of the key pair is fixed to 1024 bits.
    2. ITSC can access your private key. (ITSC protects the private keys by applying appropriate host security, network security, and operating procedures.)

  5. Certification Policy Statement

    An experimental Certification Policy Statement is available here.


Need Help?
For comments and enquiries about this service, please write to the ITSC Service Desk at

Privacy Policy Disclaimer ITSC CUHK