Information Technology Services Centre - FAQs on Certificate Authority
  • Submit
  • FAQs on Certificate Authority

    Q1: How do we verify e-mails that are claimed to be digitally signed by CUHK users?
    A1: To verify e-mails that are claimed to be digitally signed by CUHK users, you need to install the CUHK Root CA Certificate into your Internet browsers and e-mail applications. By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically. So it is very important to verify that the root certificate you are installing is genuine, not a fake root certificate generated by someone with malicious intention.

     

    Q2: I’m not a CUHK user. How can I send encrypted e-mails to CUHK members?
    A2: To send encrypted e-mails to CUHK members, in your e-mail programme, you must

    1. Install the CUHK Root CA Certificate By installing the CUHK Root CA Certificate, all digital certificates issued by CUHK CA will be 'trusted' automatically.
    2. Setup CUHK LDAP Server This will let you look up your target recipients' CUHK certificates on the CUHK LDAP server.

    After the above setup, you can now send encrypted e-mails to CUHK members.

     

    Q3: I've received a CUHK e-mail with smime.p7s attachment and it said "This is an SMIME signed message". What does it mean?
    A3: This means that it is a digitally signed message. You should open the digital certificate to check the identity of the sender. To improve security, all notifications that sent through the following ITSC systems will be signed with CUHK CA Certificates starting from.

    1. Jun 23 - ITSC Electronic HelpDesk (This email address is being protected from spambots. You need JavaScript enabled to view it.)
    2. Jul 7 - ITSC Accounts Information Management System (This email address is being protected from spambots. You need JavaScript enabled to view it.)
    3. Jul 7 - ITSC Abnormal Network Traffic Alert System (This email address is being protected from spambots. You need JavaScript enabled to view it.)
    4. Jul 14 - CU Mass Mailings (This email address is being protected from spambots. You need JavaScript enabled to view it.)

    You are strongly advised to install the CUHK Root CA Certificate. This allows browsers and e-mail applications to trust certificates issued by CUHK CA automatically, which saves you a lot of time.

    Please be aware that not all e-mail applications support this feature (e.g. Webmail). In such cases, you will receive emails with attachments such as smime.p7s (or p7m). Please read the following taq on how to verify signed/encrypted messages in various e-mail applications.

     

    Q4: How to verify signed/encrypted messages in my e-mail applications?
    A4: If a digital signature can be verified, you can be sure about the sender's identity, and that the e-mail has not been tampered with during transmission. However, some e-mail applications do not support digital signature verification. In those systems, you will find an attachment named "smime.p7s" in the e-mail. Webmail systems, in general, lack digital signature verification support.

    For more convenient access to CUHK webpages and e-mails, you are strongly advised to install CUHK Root CA Certificate into you Internet browsers and e-mail applications. With the installation, all digital certificates issued by CUHK CA will be trusted automatically.

     

    Q5: Can I encrypt/decrypt e-mail in webmail?
    A5: No. At present, most of the webmail services do not support secure e-mail.

     

    Q6. What if the private key is compromised?
    A6: If your private key is compromised, you should:

    1. Stop using the old private key to sign message;
    2. Contact people who will send encrypted messages to you to stop using your old public key.

     

    Q7. What if the private key is lost?
    A7: There is no way to recover your private key from either your Digital Certificate or your public key. That is why private key is so important that you must take precautions against losing it accidentally or due to hard disk corruption, virus infection, etc.

    If you lose your private key, you cannot sign digital signature, nor read messages encrypted with your public key.

    If you selected the Basic (Default) Option during certificate application, your private key was generated and backed up by ITSC. Please contact us at http://servicedesk.itsc.cuhk.edu.hk/ to recover your private key.

     

    Q8. Should I delete the expired certificates from my browsers/e-mail programs?
    A8: Your expired certificates and the corresponding private keys will still be useful for decrypting old e-mail messages, which were encrypted by those expired certificates. So you should not delete any expired certificates. Actually you should backup all the certificates so that you can still access old encrypted messages in case your PC crashes.

     

    Q9. How to check whether it is a genuine CUHK webpage by digital certificate?
    A9: our webpages, digital certificates is applied when

    1. collecting your CWEM login information,
    2. requesting your personal information like bank account,

    These websites have also adopted Secure Sockets Layer (SSL) 128-bit encryption for data transfer to ensure a secure flow of information. That is, your entered information is changed to unreadable code before transmission, and only authorized receivers can unlock the encryption to view your information.
    By the following steps to check whether a webpage uses the genuine CUHK digital certificate issued by CUHK Root Certification Authority (CA) or Hongkong Post e-Cert.

    a. Locate a lock icon next to the address bar of your internet browser. This indicates the website is encrypted. Click once and you can find the general information about this Certificate.

    CA view

    b. Click "view certificates " for more information about the certificate.

    CA details
    c. Click on the “details” tab in the above certificate window and compare them with Hongkong Post e-Cert or CUHK Root CA.

     CUHK Root CA

    Go to CUHK Root CA webpage to check whether the thumbprint of the site is the same as the certificate fingerprint of the genuine CUHK Root CA certificate

     Hongkong Post CA

    Go to Hongkong Post e-Cert, enter the Server name to check whether the Serial Number of the site is the same as Serial Number of the genuine Hongkong Post e-Cert CA.

     CA CUHKrootCA  CA HKpostCA


    If they are the same, the site you checked has a genuine certificate issued by CUHK Root CA or Hongkong Post e-Cert.