Certificate Issuance and Installation – Hong Kong Certification Authority (HKCA)

Digital certificates work on Linux and macOS, as well as Windows. Support is built into the OS, browsers, and common applications such as OpenSSL (Linux/macOS), Keychain Access (macOS), certutil/pk12util (NSS/Firefox), security CLI (macOS).

Press Windows + R, type certmgr.msc, and press Enter.
In the Certificate Manager, navigate to: Certificates – Current User > Personal > Certificates.
Look for your digital certificate in the list.
Verify that your d-Cert appears in the list, your name or organisation matches the expected identity, the expiration date is valid.
Double‑click the certificate and check that this certificate is OK.

To transfer your d-Cert, begin by exporting it from your current computer’s hard drive to a USB flash drive or another secure transfer medium. Once the export is complete, you can then import the d-Cert into your new computer. To import your d-Cert into Microsoft Edge:

Open Microsoft Edge and click the three-dot menu (⋯) in the upper-right corner
Select “Settings”
In the left-hand menu, go to “Privacy, search, and services”
Scroll down to the “Security” section and click “Manage certificates”
In the Certificates window, choose “Import” and follow the wizard to locate the exported file
Enter the transport password you set during export when prompted

Note: Please make sure that you have successfully imported the certificate to the new machine before deleting the old certificate and the transient file.

A quicker and easier way to change the password of a d‑Cert file is by using OpenSSL, a standard tool for working with d‑Cert files in PKCS#12 format on Linux, macOS, and Windows. PKCS#12 does not support in‑place password changes; therefore, the file must be re‑exported with a new password. Alternatively, on Windows, if the d‑Cert file (PKCS#12 format) has been imported into the certificate store, you can use the Certificates (MMC snap‑in). Simply right‑click the d‑Cert certificate, select Export, and re‑export it with a new password. This method leverages the Windows CryptoAPI and is convenient for users who prefer a graphical interface. Note: This approach only works if the private key is marked as exportable.

The HKCA Root certificates are available for downloading under the heading of “Resources – Root and Intermediate CA Certificates”.

The HKCA Root CA certificate is not pre-installed in standard browsers or operating systems. This means that you will have to load the HKCA Root CA certificate into your browser and operating systems yourself. You need this root certificate to validate a certificate issued by HKCA.

Questions

Can a d-Cert be used on computers running Linux or Mac operating systems?

How do I know that my HKCA d-Cert certificate is properly installed on Windows?

How do I transfer my digital certificate to a new computer?

Is there any tool or program that can be used to change the password of the d-Cert file?

Where do I download the public key of the HKCA Root CA certificate, and how do I install it in the browser?

Why does my browser first have to accept the HKCA Root CA certificate?