Information Technology Services Centre - Certificate Authority
  • Submit
  • Certificate Authority

    The CUHK Certificate Authority (CA), operated by ITSC, issues digital certificates to CUHK staff and students. Although CUHK CA is not recognized by the HKSAR Government as a public CA, the certificates issued could be used within CUHK to enhance the security of communications in various CU related computer applications.

    Please note that Client Certificate will be terminated by 31 Dec 2017. (details & alternative solution)


    Available to
    Staff & students 


    Service Charge and Application
    Go to 1. Types of Certificates below for details


    Service Availability
    24 X 7 ; except maintenance period


    dummy image
    1. Types of Certificates

    1. Client Certificate (application & renewal will be opened until 31 Dec 2017 due to its termination)
      • A digital certificated used by a person for digitally signing, encrypting and decrypting emails.
      • The validity period of a Client Certificate is 3 years from application (2 months after graduation for student applicants; and 2 months after contract end-date for contract staff).
      • Eligible users should renew the certificates before they expire.
    2. Hong Kong Post Digital Certificates
      • Some of our web servers and web-based applications have installed with Hong Kong Post Digital Certificates. Please click here for details.


    dummy image
    1. CUHK Root CA Certificate

    In order to smoothly operate with CUHK CA issued digital certificates, you need to install the CUHK Root CA Certificate into your Internet browsers and e-mail applications. By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically. So it is very important to verify that the root certificate you are installing is genuine, not a fake root certificate generated by someone with malicious intention.

    The genuine CUHK Root CA Certificate has the following information:
    • Operation Period 12th Jun, 2000 to 7 Jun, 2020

    Certificate Fingerprint
    • using sha1 algorithm: 0C0D D166 33B4 0839 5995 7237 A0C2 2A45 1CDB 119F
    • using MD5 algorithm: 93:25:48:D8:40:7C:B1:4A:5E:F5:A4:02:C5:D4:4D:07


    dummy image
    1. Application for CUHK Digital Certificate (opened until 31 Dec 2017)

    dummy image
    1. Key Backup and Recovery

    When you enroll for a CUHK Digital Certificate, you can choose to generate the private/public key pair yourself, or let ITSC to generate it for you.

    By yourself

    • Pros: Only you can access to your private key. You can select a different (e.g. longer) key length for the key pair. A longer key usually means higher security.
    • Cons: You have to backup your key pair manually and store in a secure place. If you lost your private key, you will not be able to decrypt old email (or any documents encrypted with your old certificate) any more. If you select a key length larger than 1024 bits, the private key cannot be stored on CU Link card.

    By ITSC
    • Pros: ITSC will store your private key securely. If you lost your private key, ITSC can recover it from the backup copy.
    • Cons: The key length of the key pair is fixed to 1024 bits. ITSC can access your private key. (ITSC protects the private keys by applying appropriate host security, network security, and operating procedures.)


    dummy image
    1. Certification Policy Statement

    An experimental Certification Policy Statement is available here.


    dummy image
    1. Web-applications Using HKPost Digital Certificate

    Since early April, ITSC has started to install Hongkong Post digital certificates in some 30 major web servers and web-based applications under her jurisdiction. The whole process would be completed at the end of May.

    Use of digital certificate is one of the measures that we have implemented to ensure the safe and secure flow of information; it helps to assure that you are not visiting a fraudulent CUHK website. Any information you submit via CUHK website is protected from prying eyes.


    Web Applications with Hongkong Post Digital Certificates
    The following web-based applications have been installed with Hongkong Post digital certificates:

    • Anti-spam and Anti-virus Gateway (
    • Anti-virus Centre (
    • CUHK / CUguest Wi-Fi Service (
    • CUHK Retirees Webmail (
    • CUHK Web Server (,
    • CUHK WebMail and Campus-wide E-mail System (,
    • CUHK WiFi Hotspots Partnership Programme (
    • Electronic Document Management System ( ,
    • iHome Server (
    • Internet Access Services for Alumni (
    • ITSC Accounts Information System (
    • ITSC Service Desk (
    • ITSC Training Courses Registration (
    • ITSC Web Conferencing System (
    • Logic Server (
    • Mailing List (
    • MyCUHK and CUSIS (
    • Student Computing Accounts Collection System (
    • WiFi Hotspots Partnership Programme dot1x Port-based Access (

    These Hongkong Post digital certificates bear a digital signature supported by a Hongkong Post CA root certificate that proves the authenticity of these digital certificates. The Hongkong Post CA root certificate is trusted by Internet Explorer (IE). It is expected to be recognized by other Internet browsers, including Firefox and Safari, in the near future.


    Installation of Hongkong Post CA Root Certificates
    Please refer to the following Hongkong Post web page for the information on the installation of the Hongkong Post CA root certificate in the browsers of your computer if the root certificate is not being trusted by them:


    dummy image
    1. Tips to Safeguard your private Key

    No matter how secure the public key encryption algorithm is, the most important thing is to keep your private key in a safe place which is not available to others. Anyone can decrypt all encrypted messages easily with your private key once they've got it.

    It is your responsibility to keep your private key not available to others. To do so, you should:

    1. If it is possible, don't share your PC (which your private key is installed) with others
    2. If you must share your PC with other people, make sure your private key is protected by password
    3. Never install your private key on a public PC
    4. Do not transfer your private key through the Internet, to prevent your key from being wire-tapped
    5. If you requested ITSC to generate the key for you, you should keep the floppy disk (which contains a PKCS12 file with your Digital Certificate and private key) in a safe place
    6. If you generated the private key yourself, you should backup the private key yourself. Since you generate the private key yourself, your private key isn't stored in ITSC. ITSC is unable to restore your private key.
    7. Make one more disk copy in case one of the disks is corrupted.


    dummy image
    1. About PKI

    PKI stands for Public Key Infrastructure, an architecture to proof the identities of people, web sites, computer programs, etc. on the Internet. In a PKI, Certificate Authority (CA) issues Digital Certificates to applicants. CA also verifies the identity of applicants, and publishes certificates on an on-line repository where people can lookup others' certificates.

    A Digital Certificate on the Internet is analogous to an ID card in the real world. A Digital Certificate issued by Hong Kong Post, or any recognized CA (Certificate Authority) in Hong Kong, is like a HKID card on the Internet. Similarly, a Digital Certificate issued by CUHK CA is like a CUHK ID card on the Internet.

    Below are 3 types of Digital Certificates:

    Client Certificates are issued to individual person. With a Client Certificate, you can digitally sign e-mail, or encrypt/decrypt e-mail messages. Digital Signature enables applications that traditionally require a hand-written signature to be performed on-line. Email encryption (secure email) makes sure only the recipients can decrypt your messages. Eavesdroppers will see the scrambled messages only. Some high security web sites may require you to present your Client Certificate for authentication, instead of using a username/password pair, which is less secure.

    Server Certificates are installed on web sites to proof their identities to visitors. You are assured that you are not visiting a fake site. The communication between your browser and these web sites are also encrypted with the Secure Socket Layer (SSL) protocol. Any information you submitted is therefore protected from prying eyes.

    Object-signing Certificates are issued to program developers to sign Java applets, ActiveX controls, etc. Visitors to a web site can verify the authenticity of such Java applets or ActiveX controls before allowing them to be run in the browser.

    The most important technology underlying PKI is Public Key Cryptography (PKC). When you apply for a Digital Certificate, a pair of mathematically related keys, i.e. a Public Key and a Private Key, will be generated. The Public Key, together with your name, department, email address, etc., will be put into the Digital Certificate. This Digital Certificate will be available on-line for anyone to lookup, and use it to encrypt email to you. The Private Key is used by you to digital sign messages, and decrypt secure email messages sent to you. So it is of the utmost importance for you to keep your Private Key strictly confidential. Anyone getting hold of your Private Key will be able to fake your digital identity.

    If you want to know more about PKI, please visit the following sites: