The CUHK Certificate Authority (CA), operated by ITSC, issues digital certificates to CUHK staff and students. Although CUHK CA is not recognized by the HKSAR Government as a public CA, the certificates issued could be used within CUHK to enhance the security of communications in various CU related computer applications.
- Types of Certificates
A. CUHK CA issues the following 3 types of digital certificates:
||Used by ...
||Digitally sign e-mail, encrypt/derypt email
||Enable SSL in web sites, proof web site identity
||A department/unit which develop computer programs
||Proof the authenticity of ActiveX controls and Java applets
validity period of Client Certificates
is the shortest period among the followings:
- 3 years from application
- (for students) 2 months after
- (for contract staff) 2 months
after contract end-date
Certificates and Object-signing Certificates
are valid for 3 years.
users have to renew the certificates
before they expire.
B. Hongkong Post Digital Certificates
Some of our web servers and web-based applications have installed with Hongkong Post Digital Cerfitcates. Please click here for details.
of CUHK Root CA Certificate
In order to operate smoothly with CUHK CA
issued digital certificates, you need to
install the CUHK Root CA Certificate into
your Internet browsers and e-mail applications.
By installing the CUHK Root CA Certificate,
all digital certificates issued by CUHK CA
will be 'trusted' automatically. So it is
very important to verify that the root certificate
you are installing is genuine, not a fake
root certificate generated by someone with
The procedures for installing the Root Certificate
for different programs are available in the
section - How to use a CUHK Digital Certificate?
The genuine CUHK Root CA Certificate has
the following information:
Jun, 2000 to 7 Jun, 2020
D166 33B4 0839 5995 7237 A0C2
2A45 1CDB 119F
backup and recovery
When you enroll for a CUHK Digital Certificate,
you can choose to generate the private/public
key pair yourself, or let ITSC to generate
it for you.
yourself (e.g. with Internet Explorer
you can access your private
can select a different (e.g.
longer) key length for the
key pair. A longer key usually
means higher security.
have to backup your key pair
manually and store in a secure
you lost your private key,
you will not be able to decrypt
old email (or any documents
encrypted with your old certificate)
you select a key length larger
than 1024 bits, the private
key cannot be stored on CU
will store your private key
securely. If you lost your
private key, ITSC can recover
it from the backup copy.
key length of the key pair
is fixed to 1024 bits.
can access your private key.
(ITSC protects the private
keys by applying appropriate
host security, network security,
and operating procedures.)
An experimental Certification Policy Statement
is available here.