Information Technology Services Centre - Certificate Authority – How to Apply CUHK Client Certificate
  • Submit
  • A A A
    Language

    Certificate Authority – How to Apply CUHK Client Certificate

    Please note that Client Certificate is available to CUHK staff & students; while Object-signing Certificate is available to CUHK staff only.

     

    dummy image
    1. Client Certificate Application Procedure

    This procedure is applicable to first-time application, and re-application due to lost of private key. For advanced users: if you choose to generate the public/private key pair yourself, please refer to the next section - Client certificate (Advanced option).

    1. Stage: Login to the enrollment web page and supply basic information (Est. time required: 3 min.)
      Description: Start the enrollment process by supplying your e-mail address.
      What you should prepare: Your Computing ID and CWEM password; Your e-mail address (must end with cuhk.edu.hk)
    2. Stage: Processing by ITSC (Est. time required: 4 days)
      Description: ITSC will process applications and issue the certificates in batches, twice a week.
    3. Stage: Secure user verification and certificate collection (Est. time required: 10 min.)
      Decryption: A notification e-mail will be sent to you, requesting for a face-to-face confirmation process at ITSC (Rm.804, 8/F, Wu Ho Man Yeun Building). This process is required, and could not be done on-line, to prevent others from getting your private key and therefore forging you. You may assign a delegate to collect the certificate for you.
      What you should prepare: Your (or delegate's) CU Link card; Client Certificate Applciation Form; A USB flash drive to collect a file that contains your private key and certificate
    4. Stage: Certificate installation (Est. time required: 15-30 min.)
      Description: Install the certificate to your browser and e-mail program.
      What you should prepare: The file given to you in stage 3; A password which is used to protect the above file. You can look up the password in the Certificate Application Status page

      Start the application process

     

    dummy image
    1. Client Certificate Application Procedure (Advanced Option)

    This procedure is applicable to first-time application or re-application due to lost of private key, and you choose to generate the public/private key pair yourself.

    1. Stage: Choose the machine and web browser
      Description: The same web browser on the same machine must be used during the key generation and subsequent certificate retrieval processes. The private key generated will be stored on that browser, so do not
      What you should prepare: Windows PC; Internet Explorer or Netscape;
    2. Stage: Setup Netscape Master Password (for Netscape users only, est. time required 3 min.)
      Description: Setup your Netscape Master Password. This password will be used to protect your private keys in the Netscape browser on your machine. You're required to setup this Master Password only once with the same browser.
      What you should prepare: Choose your Netscape Master Password
    3. Stage: Login to the enrollment web page, supply basic information and generate key-pair (Est. time required: 5 min.)
      Description: Start the enrollment process by supplying your e-mail address, and generate a public/private key-pair using your browser.
      What you should prepare: Your Computing ID and CWEM password; Your e-mail address (must end with cuhk.edu.hk)
    4. Stage: Processing by ITSC (Est. time required: 4 days)
      Description: ITSC will process applications in batches, twice a week.
    5. Stage: Secure user verification (Est. time required: 10 min.)
      Description: A notification e-mail will be sent to you, requesting for a face-to-face confirmation process at ITSC (Rm.804, 8/F, Wu Ho Man Yuen Building). This process is required, and could not be done on-line, to prevent others from getting your private key and therefore forging you. You may assign a delegate to collect the certificate for you.
      What you should prepare: Your (or delegate's) CU Link card; Client Certification Application Form.
    6. Stage: Processing by ITSC (Est. time required: 4 days)
      Description: ITSC will issue the certificates in batches, twice a week.
    7. Stage: Retrieve your digital certificate (Est. time required: 3 min.)
      Description: A notification e-mail will be sent to you after the client certificate had been issued. You can retrieve it with your browser.
      What you should prepare: The same browser on the same machine chosen in stage 3
    8. Stage: Backup your private key and certificate (Est. time required: 3 min.)
      Description: Backup your private key and certificate to a file and keep the file in a safe location.
      What you should prepare: Choose a password to protect the backup file
    9. Stage: Certificate installation (Est. time required: 15-30 min.)
      Description: Install the certificate to your e-mail program, and optionally another Internet browser.
      What you should prepare: The backup file and corresponding password from stage 8

      Start the application process

     

    dummy image
    1. Certificate Renewal

    You will receive an email notification 3 weeks before your existing Client or Server Certificate expires. If you failed to renew the certificate before the existing one expires, you need to follow the procedures in section 2 to re-apply.
    If you lost your private key, please follow the procedures in section 2 to re-apply. For advanced users: if you choose to generate the public/private key pair yourself, please refer to the next section - Client certificate (Advanced option).

    1. Stage: Login to the renewal web page and supply basic information (Est. time required: 3 min.)
      Description: Start the renewal process by supplying your e-mail address.
      What you should prepare: Your Computing ID and CWEM password; Your e-mail address (must end with cuhk.edu.hk)
    2. Stage: Processing by ITSC (Est. time required: 4 days)
      Description: ITSC will process applications and issue the certificates in batches, twice a week.
    3. Stage: Certificate collection
      Description: A notification e-mail will be sent to you when the new certificate is ready. You can choose from one of the following certificate collection options.
      1. collection via encrypted e-mail (Est. time required: 2 min.)
        Description: A file with your new private key and certificate will be attached in an e-mail encrypted with your existing Client Certificate. The need for face-to-face confirmation is eliminated.
        What you should prepare: Your Client Certificate that is about to expire should be installed in the e-mail client program
      2. collection at ITSC (Est. time required: 10 min.)
        Description: You may collect your new certificate at at ITSC (Rm.804, 8/F, Wu Ho Man Yuen Building) You may assign a delegate to collect the certificate for you.
        What you should prepare: Your (or delegate's) CU Link card; Client Certificate Application Form; A USB flash drive to collect a file that contains your private key and certificate
    4. Stage: Certificate installation (Est. time required: 15-30 min.)
      Description: Install the certificate to your browser and e-mail program.
      What you should prepare: The file given to you in stage 3; A password which is used to protect the above file. You can look up the password in the Certificate Application Status page

      Start the renewal process

     

    dummy image
    1. Certificate Renewal(Advanced Option)

    If you lost your private key, please follow the procedures in section 2 to re-apply. This procedure is applicable to users who choose to generate the public/private key pair themselves.

    1. Stage: Choose the machine and web browser
      Description: The same web browser on the same machine must be used during the key generation and subsequent certificate retrival processes. The private key generated will be stored on that browser, so do not use a public PC for this type of certificate enrollment.
      What you should prepare: Windows PC; Internet Explorer or Netscape
    2. Stage: Setup Netscape Master Password (for Netscape users only, est. time required 3 min.) Description: Setup your Netscape Master Password. This password will be used to protect your private keys in the Netscape browser on your machine. You're required to setup this Master Password only once with the same browser.
      What you should prepare: Choose your Netscape Master Password
    3. Stage: Login to the enrollment web page, supply basic information and generate key-pair (Est. time required: 5 min.)
      Description: Start the enrollment process by supplying your e-mail address, and generate a public/private key-pair using your browser.
      What you should prepare: Your Computing ID and CWEM password; Your e-mail address (must end with cuhk.edu.hk)
    4. Stage: Processing by ITSC (Est. time required: 4 days. If you have your existing Client Certificate installed in your browser, you can skip this stage and perform the on-line verification in stage 5)
      What you should prepare: ITSC will process applications in batches, twice a week.
    5. Stage: Secure user verification
      Description: A notification e-mail will be sent to you, requesting for verifcation of your identity. You can choose from one of the following options:
      1. on-line verification (Est. time required: 2 min.) Description: If you have your existing Client Certificate installed in your browser, you can verify securely on-line. The need for face-to-face confirmation is eliminated. What you should prepare: Your Client Certificate that is about to expire should be installed in the browser
      2. verification at ITSC (Est. time required: 10 min.) Description: You may verify your identity at ITSC (Rm.804, 8/F, Wu Ho Man Yeun Building). You may assign a delegate to perform the verification for you. What you should prepare: Your (or delegate's) CU Link card; Client Certificate Application Form.
    6. Stage: Processing by ITSC (Est. time required: 4 days)
      Description: ITSC will issue the certificates in batches, twice a week.
    7. Stage: Retrieve your digital certificate (Est. time required: 3 min.)
      Description: A notification e-mail will be sent to you after the client certificate had been issued. You can retrieve it with your browser.
      What you should prepare: The same browser on the same machine chosen in stage 3
    8. Stage: Backup your private key and certificate (Est. time required: 3 min.)
      Description: Backup your private key and certificate to a file and keep the file in a safe location. What you should prepare: Choose a password to protect the backup file
    9. Stage: Certificate installation (Est. time required: 15-30 min.)
      Description: Install the certificate to your e-mail program, and optionally another Internet browser.
      What you should prepare: The backup file and corresponding password from stage 8

    Start the renewal process

     

    dummy image
    1. Secure user verification and certificate collection

    1. Verification / Certificate Collection at ITSC
      In the following situations, you will be required to come to ITSC during the certificate application process:
      1. You are applying for a certificate for the first time, a face-to-face confirmation process at ITSC is required. This process cannot be done on-line because, at that moment, you do not have a secure digital identity, e.g. Digital Certificate, for on-line verification.
      2. You are renewing a certificate, but you do not have an active certificate installed in your browser, thus on-line verification is not possible.
      3. The private key and certificate are ready at ITSC, but you do not have an active certificate installed in your email program, thus we cannot send you the new private key and certificate in an encrypted email. The only secure way to collect the private key and certificate is to come to ITSC.

      During the application process, you will receive an email notification when the verification / collection process is required. For each application, you only need to come to ITSC once.

      You may authorize another person (CUHK student or staff) to perform the verification process and collect the digital certificate on your behalf. Please come, during office hours, to: CU Link Card Centre , Information Technology Services Centre, Room 804, 8/F, Wu Ho Man Yuen (WMY) Building, The Chinese University of Hong Kong. with a USB flash drive*, and the following document:

      • Client Certificate Application Form, or
        Object Signing Certificate Application Form
      • If you come in person, please bring the original of your identity proof:
        • for CUHK staff/student: CU Link card, or
        • for other HK resident: Hong Kong ID card, or
        • for non HK resident: supervisor's endorsement letter as well as documents which can proof your identity
      • If you authorized a delegate:
        • delegate's CU Link card, and
        • a photocopy of your (applicant's) identity proof
      • Remember to bring a USB flash drive. Otherwise, you can't get your Digital Certificate and private key. We have no USB flash drive for sale. If you selected the Advanced Option, i.e. generate the key pair yourself, then you will collect your Digital Certificate via Internet download, thus no USB flash drive is required.

    2. Verification / Certificate Collection with Active Digital Certificate
      When you renew your certificate, you can verify your identity on-line with your active, about to expire certificate. Moreover, we can send you the new private key and certificate in a secure email encrypted with your active certificate. You need to install your active certificate in your Internet browser to perform on-line verification, and in your email program to decrypt the email with the new certificate.