Certificate Management

Subscribers can submit renewal applications through the HKCA d-Cert Subscriber Portal. For details, please refer to Renewal of d-Cert.

If you lose your HKCA d-Cert certificate, you must revoke your certificate immediately. If you have accidentally deleted your certificate, you can simply import it from your back‑up copy. However, if no back‑up copy is available, you must submit a new application for a replacement certificate.

A subscriber, or the Authorised Representative of a subscriber organisation, may request certificate revocation from HKCA using one of the following methods:

1. Submitting the request via the d-Cert Subscriber Portal
2. Sending a digitally signed e-mail to enquiry@hkca.hk
3. Presenting the revocation request in person together with valid proof of identity.

Suspensions and revocations of certificates will be effective only after they have been published in the Certificate Revocation List (CRL).

d-Cert (Personal) Certificate Revocation Request

A personal certificate can only be revoked by the subscriber of that certificate.

d-Cert (Organisational) Certificate Revocation Request

An organisational certificate can be revoked by:

1. A person nominated as an Authorised Representative for the organisation, or
2. The person whose name appears on the certificate as the subscriber of that certificate.

d-Cert (Server) Certificate Revocation Request

A server certificate can be revoked by a person nominated as an Authorised Representative for the organisation.

d-Cert (Encipherment) Certificate Revocation Request

An encipherment certificate can be revoked by a person nominated as an Authorised Representative for the organisation.

Business Hours for Processing Revocation Requests

If a Tropical Cyclone Warning Signal No. 8 (or higher) or a Black Rainstorm Warning Signal is hoisted, processing of revocation requests will be suspended immediately. Processing will resume as follows:

• If the signal is lowered at or before 6:00 a.m. on the same day, processing will recommence at the service’s usual business hours that day.
• If the signal is lowered after 6:00 a.m. but at or before 10:00 a.m., processing will recommence at 2:00 p.m. on that day, provided the day is not a Saturday, Sunday or public holiday.
• If the signal is lowered after 10:00 a.m., processing will recommence at the usual business hours on the next weekday that is not a Saturday, Sunday or public holiday.

Service Pledge and Certificate Revocation List Update

1. 1. HKCA will exercise reasonable endeavours to ensure that within 2 working days of either (1) HKCA receiving a revocation request from the Subscriber or (2) the decision by HKCA to suspend or revoke the certificate, the suspension or revocation is posted to the Certification Revocation List.
   2. However, a Certificate Revocation List is not published to the public directory immediately after each suspension or revocation. Only when the next Certificate Revocation List is updated and published will it reflect the revocation status of the certificate. [Certification Revocation Lists are published 3 times daily at 09:15, 14:15 and 19:00 Hong Kong Time.]

For the avoidance of doubt, all Saturdays, Sundays, public holidays and for all weekdays on which a tropical cycle warning signal no. 8 (or above) or a black rainstorm warning signal is hoisted, are not working days.

Each browser has its own back-up procedures. For Microsoft Edge Users:

1. Open Microsoft Edge and click the three-dot menu (⋯) in the upper-right corner.
2. Select “Settings”.
3. In the left-hand menu, go to “Privacy, search, and services”.
4. Scroll down to the “Security” section and click “Manage certificates”.
5. In the Certificates window, select the d-Cert you intend to save and click “Export”. This will launch the Certificate Export Wizard.
6. Choose to export the certificate “with the private key” (important if you need to reuse it).
7. You will be prompted to set a transport password. This password will be required when importing or opening the exported certificate file.
8. Select a location and file name in which to save your d-Cert. Click Save.
9. Protect your d-Cert file or other media and your transport password in a secure manner.

You should not delete your expired or revoked d-Cert. By deleting a certificate, you will no longer have access to the private key associated with it and it will therefore no longer be possible to read encrypted messages with it.

Subscribers should keep the old PIN document and the old d-Cert file in order to use the old d-Cert. The new PIN document will be applicable to the renewed d-Cert file.

When an HKCA d‑Cert certificate expires, it can no longer be used for secure e‑mail communication or other security functions. To continue using digital certificate services, you should re‑apply for a new d‑Cert certificate.

As your digital certificate is protected by a password, it is unlikely that others will be able to use it to impersonate you. However, we strongly advise you to revoke your certificate immediately if your computer has been stolen and then apply for a new one.

We strongly recommend that you revoke (cancel) your certificate if you suspect that your private key has been compromised, or if you no longer wish to participate in the HKCA Public Key Infrastructure. Moreover, for d-Cert (Server) certificates, including DV, OV, and EV types, you should consider revocation in the following circumstances to prevent future misuse:

• you no longer control, or are no longer authorised to use, all of the domain names in the certificate.
• you are discontinuing your website and will no longer require the certificate.
• your organisation’s name or other organisational details in the certificate have changed.
• you have requested a new certificate to replace an existing certificate.

Subscribers may not receive a renewal notice if they have not provided an email address to HKCA, or if they have changed their email address without notifying HKCA. In such cases, HKCA is unable to issue the notice by email. To check whether your d-Cert is due for renewal, you may contact our customer service hotline at (852) 3168 0680 or send an email to enquiry@hkca.hk

If you lose your certificate and do not have a back‑up copy, you will also lose access to all your previously encrypted messages, as the private key required to decrypt them will no longer be available. It is therefore essential that you create and securely store a back‑up copy of your certificate to prevent the loss of access to encrypted data.