Information Technology Services Centre - Certificate Authority – How to Use CUHK Client Certificate
  • Submit
  • Certificate Authority – How to Use CUHK Client Certificate

    CUHK Client Certificates can be used for

    • Chrome, Firefox, Internet Explorer & Safari: access websites that require client certificate authentication 
    • Outlook: Encrypt / Decrypt emails


    dummy image
    1. Pre-requisite - CUHK Root CA Certificate

    In order to operate smoothly with CUHK CA issued digital certificates, you need to install the CUHK Root CA Certificate into your Internet browsers and e-mail applications. By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically. So it is very important to verify that the root certificate you are installing is genuine, not a fake root certificate generated by someone with malicious intention.


    Install CUHK Root CA Certificate for:

    Safari / Internet Explorer / Firefox / Chrome on Windows or Mac Android Download for iPhone / iPad / Windows Phone


    dummy image
    1. Installation of CUHK Client Certificate

    dummy image
    1. Storage & Backup of Client Certificate

    It is important for you to know where your private key is stored in different software packages and how to protect it from being accessed by other users.

    Internet Explorer, Firefox, Outlook 2007/2010, Outlook Live

    • Location of private key: Windows Registry (a file on your local computer)
    • Private key protected by: Windows password
    • Remarks:
      1. All 3 packages share the same certificate store.
      2. To prevent others from accessing your private key, logout Windows after use.

    Backup / transfer of private key

    • Location of private key (certificate store): PKCS12 file (a file with .p12 or .pfx extension)
    • Private key protected by: PKCS12 password
    • Remarks:
      1. PKCS12 is a standard file format to store both the private key and certificate.
      2. You can backup your private key from IE onto a PKCS12 file, or restore from a PKCS12 file to IE.
      3. You can also copy your private key and certificate to another browser/machine via a PKCS12 file.


    Backup of Private Key


    dummy image
    1. Sending Secure Email with CUHK Client Certificate

    Email encryption
    Email encryption allows you to send an email to a recipient with the message content scrambled. Only the intended recipient can decrypt the message.

    The recipient must have a digital certificate. Your email program will lookup the recipient's certificate from the CUHK LDAP server, and use the recipient's public key, which is embedded in the certificate, to encrypt the email.

    The recipient's email program will use the recipient's private key to decrypt the email.


    Digital signature on email
    Digital signature on email allows the recipient to verify that the message came from you. No one except you can generate a digital signature with your identity.

    Your email program will use your private key to generate a digital signature. Your digital certificate will (optionally) be sent together with the email and the signature.

    If your certificate is not sent with the email, the recipient's email program will lookup your certificate from the CUHK LDAP server. The email program will use your public key, which is embedded in the certificate, to verify your signature. Any change to the original email message will make the signature verification fail.

    A secure email can be either encrypted, or signed, or both. Beware that if a email is only signed, it is still possible that the message be wiretapped.

    Sending secure email


    Receiving secure email
    Your email program will automatically decrypt secure email if your private key and certificate is installed.