Server Certificate

No. All server names in a d-Cert (Server) with “Multi-domain” feature cannot be changed after the certificate is issued. Subscriber may consider applying for another d-Cert (Server) with relevant option for the changed server names.

Yes. subscriber may choose a d-Cert (Server) showing the organization name and branch name in Chinese during the submission of Certificate Signing Request (CSR). Once the certificate has been issued, the information cannot be modified.

No. One and only one wildcard character (“*”) is allowed in the server name of a d-Cert (Server) with “Wildcard” feature, and the wildcard character (“*”) must be in the left-most component of the fully qualified domain name of the server name.

No. A d-Cert (Server) certificate can only have either “Multi-domain” feature or “Wildcard” feature. If you need both of the features, then you have to apply for two d-Cert (Server) certificates for the relevant servers, one for “Multi-domain” feature and the other for “Wildcard” feature.

Yes.

Revocation of a d-Cert (Server) with “Multi-domain” feature can only be applied to all but not some of the server names contained in the certificate. Revocation of a d-Cert (Server) with “Multi-domain” feature will revoke the validity of all server names contained in the certificate.

All d-Cert (Server) certificates do NOT accept any IP address as server name to be included in the certificates.

Only one certificate will be issued for each d-Cert (Server) application with the “Wildcard” or “Multi-domain” feature. The subscriber may copy this certificate for installation on the servers specified in the application.

First check whether CAA Records have been configured in your Domain Name Servers (DNS).

• If no CAA record is present and no warnings or errors appear during the domain validation, any Certification Authority (CA), including HKCA, is permitted to issue certificate for your domain.
• If CAA records exist in your DNS, you must ensure that HKCA is explicitly authorised. To do so, add the following CAA record for your domain (e.g., example.com):

example.com.  CAA  0  issue   ”hkca.hk”

HKCA will check the Certification Authority Authorisation record(s) (“CAA Record”) published for the domain name(s) to be identified in the certificate. If a CAA Record exists that does not list HKCA’s domain name “hkca.hk” as an authorised issuer domain name, the certificate application will not be proceeded. If no CAA Record exists for the domain name(s) to be identified in the certificate, and no warning nor error messages are encountered in the domain validation checking, HKCA considers that the applicant allows HKCA to issue certificate for the domain name(s).

The subscription fee for a d-Cert (Server) with “Wildcard” feature already includes the subscription fee required for installing the certificate in one server (the default server). If the certificate is to be installed in any additional physical server or virtual machine that operates on a separate operating system from the default server, then each such physical server or virtual machine is chargeable.

Example#1:

d-Cert (Server) with “Wildcard” feature installed in two servers – one server is active while the other server is for standby only. The total number of servers installed with d-Cert (Server) with “Wildcard” feature is two, and the number of ‘Additional Server’ is one.

Example#2:

d-Cert (Server) with “Wildcard” feature installed in one physical server and two servers running on virtual machines, each running under a separate operating system. The total number of servers installed with d-Cert (Server) with “Wildcard” feature is three, and the number of ‘Additional Servers’ is two.

The procedures for submission of Certificate Signing Request (CSR) for d-Cert (Server) with “Wildcard” feature or “Multi-domain” feature are the same as submission of CSR for d-Cert (Server). You only need to submit one CSR for each applied d-Cert (Server) with “Multi-domain” feature or d-Cert (Server) with “Wildcard” feature regardless of the total number of ‘Additional Server Name(s)’ in the d-Cert (Server) with “Multi-domain” feature or the number of ‘Additional Server(s)’ in which the d-Cert (Server) with “Wildcard” feature to be installed. You only need to input the server name in the Subject Common Name of the CSR to be submitted, and it is not necessary to specify any ‘Additional Server Name(s)’ in the CSR. The ‘Additional Server Name(s)’ applied in the application will be included in the certificate by the system automatically when the certificate is issued. For more details about submission of CSR, please refer to d-Cert (Server) User Guide.

d-Cert (Server) with “Wildcard” feature and “Multi-domain” feature have the following advantages:

• d-Cert (Server) with “Wildcard” feature allows the certificate to be used for all server names at the same domain or sub-domain level owned by the Subscriber Organisation.
• d-Cert (Server) with “Multi-domain” feature allows the use of the certificate to identify up to 50 server names owned by the Subscriber Organisation. It also allows server names under different domain names owned by the Subscriber Organisation.
• The certificate includes “digital signature” Key Usage which can be used for server authentication and for establishment of secure communication channels with the server.

Therefore, if the Subscriber Organisation has many server names under the same or different domain names, using d-Cert (Server) with “Wildcard” feature or “Multi-domain” is more effective and flexible.

A website installed with Extended Validation d-Cert (Server) will appear in common web browsers with a padlock icon in the address bar. The subscriber organization’s name will be displayed for verification when the padlock icon is clicked.

The minimum requirements to install SHA-256 d-Cert (Server) in popular platforms and applications are listed as follow:

Please be careful when choosing your domain name. You cannot change this information after the certificate is issued. The domain name should be the exact server name where the certificate will be installed. When a browser connects to your server, it will match the domain name to that on the certificate. If the names do not match, the browser will return an authentication error.

The Certification Authority Authorization (CAA) Record, as defined in RFC 6844, allows a domain name holder to specify one or more Certification Authorities (CAs) authorised to issue certificates for that domain.

An Extended Validation (EV) d-Cert (Server) provides the highest level of assurance regarding the identity of the organisation operating a website. Before issuing an EV d-Cert (Server) to the organisation, HKCA will verify the organisation’s legal, physical, and operational existence, as well as its identity and authority to request the certificate. This process is carried out in accordance with the Guidelines for the Issuance and Management of Extended Validation Certificates published by the CA/Browser Forum.

Domain Validation (DV): Verifies control of the domain only.

Organisation Validation (OV): Verifies domain ownership AND the legal identity of the organisation. It provides more trust.

Extended Validation (EV): The highest level of validation. It requires a strict verification of the organisation’s legal and operational identity. EV certificates are ideal for e-commerce and financial sites.

1. d-Cert (Server) without “Wildcard” feature or “Multi-domain” feature: Only one server name is allowed, and the wildcard character (“*”) is not allowed in any part of the server name.
2. d-Cert (Server) with “Wildcard” feature: Only one server name is allowed, and the left-most component of the server name must be a wildcard character (“*”).
3. d-Cert (Server) with “Multi-domain” feature: Up to 50 server names can be specified, and the wildcard character (“*”) is not allowed in any part of the server name(s).

Note: All server names must be owned by the Subscriber Organisation.

Applicants may choose the d-Cert (Server) option according to their needs. The following are for reference:

1. d-Cert (Server) with “Wildcard” feature: suitable to applicants in applying certificates multiple server names under the same domain. For example, a d-Cert (Server) with “Wildcard” feature issued to *.hkca.hk can be used for all of the following server names:
   • www.hkca.hk
   • hkca.hk
   • mail.hkca.hk
   • ftp.hkca.hk
2. d-Cert (Server) with “Multi-domain” feature: suitable to applicants in applying certificates multiple server names under different domains. For example, a d-Cert (Server) with “Multi-domain” feature may be used for all of the following server names:
   • www.hkca.hk
   • hkca.hk
   • www.hkirc.hk
   • hkirc.hk
3. d-Cert (Server) without “Wildcard” feature or “Multi-domain” feature: each certificate identifies one server name only, suitable to applicants in applying certificates only one or a few servers. For example:
   • www.hkca.hk