| A. PUBLIC KEY INFRASTRUCTURE
(PKI) |
| |
|
| A-1 |
What is Encryption? |
| |
|
| |
The concept of encryption is simple: a message is converted from
the original (plain text) into another, incomprehensible form (cipher
text) by means of a specified procedure (algorithm) and a key. The
same key can then be used to decrypt the message to its original
form. Knowledge of the encryption key is necessary to carry out
decryption.
With the encryption techniques in use today, the security of the
system is critically dependent on the length of the key used for
the encryption. As encryption algorithms are publicly available,
it is through the complexity (i.e., its length) and the secrecy
of the key that the strength of the encryption can be assured.
|
| |
Top |
| |
|
| A-2 |
What is Public Key Cryptography and
how does it work? |
| |
|
| |
Public Key Cryptography or
Asymmetric Cryptography forms the basis of digital signatures and
Public Key Infrastructure. This technique makes use of a pair of mathematically
related, but different keys - a private key and a public key. The
private key is kept secret and is only accessible to its owner; the
public key is intended for wide distribution.
If one key is used to encrypt a message, then only the other
key in the pair can be used to decrypt it.
The public key can be used to verify a message signed with the private
key, or to encrypt messages that can only be decrypted using the private
key. |
| |
Top |
| |
|
| A-3 |
What is a Certification Authority (CA)? |
| |
|
| |
A Certification Authority (CA) is an organisation
that issues independently authenticated digital certificates for use
by individuals or organisations. |
| |
Top |
| |
|
| A-4 |
What is a digital certificate? |
| |
|
| |
A digital certificate is an
electronic file issued and digitally signed by a Certification Authority,
vouching for the identity of the certificate holder. |
| |
Top |
| |
|
| A-5 |
What is the BEA Bank-Cert? |
| |
|
| |
The BEA Bank-Cert is a digital certificate that is issued, signed
and managed by Hongkong Post Certification Authority (CA) and is
X.509 v.3 compliant.
BEA RA offers the following type of digital certificates:
|
| |
|
a.
|
BEA Bank-Cert (Corporate):
It is issued to organizations that hold a valid business registration
certificate issued by the Government of the Hong Kong SAR and statutory
bodies of Hong Kong whose existence is recognized by the laws of Hong
Kong and identifies the members or employees of the organization whom
the organization has authorised to use the certificate and indicates
the connection the member or employee has to the organization. |
| |
Top |
| |
|
| A-6 |
What is a Digital Signature and how
does it work? |
| |
|
| |
A digital signature is a unique
string of bits that is separately generated for each message, 'signed'
by the private key of the sender, and appended to the message prior
to being forwarded to the intended recipient. By verifying the signature
through using the public key of the sender, the receiver will be able
to confirm the identity of the sender and be certain that the message
has not been altered during transmission. In this way, digital signatures
provide: |
| |
|
¡P
|
Authentication : proof of identity
of the parties to an electronic transaction; |
| |
|
¡P
|
Integrity: assurance that the contents
of a message have not been tampered with or modified; |
| |
|
¡P
|
Non-repudiation: proof of agreement to
the terms of the transaction and prevention of denial of commitment. |
| |
Top |
| |
|
| A-7 |
Are there laws in Hong Kong regulating
digital signatures? |
| |
|
| |
The Electronic Transactions Ordinance,
CAP 553, came into effect on 7 January 2000. The Ordinance is available
for viewing at URL : www.info.gov.hk/justice.
|
| |
Top |
| |
|
| A-8 |
What is the meaning of "Reliance Limit"
for the e-Cert certificate? |
| |
|
| |
Reliance Limit means the monetary limit
specified for reliance on a recognised certificate. The relevant sections
of the Electronic Transactions Ordinance are Sections 41 and 42. |
| |
Top |
| |
|
| A-9 |
What is Hash Function/Value? |
| |
|
| |
The technique of the hash function
is to compute a short digest of a fixed length from any given message
that represents the message content. The hash function makes it impossible
to revert to the original message and computationally difficult to
find any two messages that hash to the same result.
MD5 and SHA-1 are common hash algorithms. |
| |
Top |
| |
|
| A-10 |
What is S/MIME ? |
| |
|
| |
S/MIME (Secure/ Multipurpose
Internet Mail Extensions) is a de facto standard for sending secure
e-mail over the Internet. MIME is the industry standard format for
electronic mail, which defines the structure of the message's body.
S/MIME adds a secure feature to the MIME standard. E-mail applications
that support S/MIME add digital signatures and encryption capabilities
to that format. Standardisation of the secured message's format allows
users to conduct private and authenticated communications, independent
of the e-mail software they use, as long as this software is S/MIME
compatible. You and your recipient must have public key certificates
and S/MIME compatible e-mail applications in order to send and receive
secured e-mail. |
| |
Top |
| |
|
| A-11 |
Why is/are there an S/MIME .p7m and/or
S/MIME .p7s attachment to my e-mail? |
| |
|
| |
S/MIME is the secure e-mail protocol and
.p7m contains the encrypted message while .p7s is the digital signature
file. If this is received as an attachment, there are 2 possibilities
:- |
| |
|
i.
|
You may be using a web-based e-mail account.
It is suggested that you change your e-mail account to a non web-based
account; |
| |
|
ii.
|
You may be using an e-mail client which
is not S/MIME compatible and will not be able to verify the attached
signature. It is suggested that you upgrade your e-mail client to
the latest version (e.g., Microsoft Outlook 98/2000) or use another
S/MIME compatible mail programme (e.g., Microsoft Outlook Express
5 or Netscape Messenger 4.7 or above). |
| |
Top |
| |
|
| A-12 |
What is a Secure Socket Layer (SSL)? |
| |
|
| |
The SSL handshake protocol was developed
by Netscape Communications Corporation to provide security and privacy
over the Internet. The Protocol supports server and client authentication.
The SSL Protocol is application independent, allowing protocols like
HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol),
and Telnet to be layered on top of it transparently. The SSL Protocol
is able to negotiate encryption keys, as well as to authenticate the
server before data are exchanged by the higher-level application.
The SSL Protocol maintains the security and integrity of the transmission
channel by using encryption, authentication and session keys.
|
| |
Top |
| |
|
| B. BEA BANK-CERT SERVICES |
| |
|
| B-1 |
Does BEA Bank-Cert support Chinese characters? |
| |
|
| |
Currently, the technology adopted by Hongkong
Post does not support Chinese characters. Hence, for the present,all
BEA Bank-Cert will be issued in English only. |
| |
Top |
| |
|
| B-2 |
Does BEA Bank-Cert Support Elliptic
Curve Cryptosystem (ECC)? |
| |
|
| |
ECC is not supported for the time being. |
| |
Top |
| |
|
| B-3 |
Does BEA Bank-Cert Support Object Signing
and Authenticode? |
| |
|
| |
Object signing and authenticode are not
supported for the time being. |
| |
Top |
| |
|
| B-4 |
Can BEA Bank-Cert be used internationally? |
| |
|
| |
BEA Bank-Certs are X.509 v3 compliant (an
international standard) and can, therefore, be used internationally.
|
| |
Top |
| |
|
| B-5 |
What happens after my Bank-Cert expires? |
| |
|
| |
When a BEA Bank-Cert expires, it can no
longer be used for secured e-mail. You should re-apply for a new Bank-Cert.
|
| |
Top |
| |
|
| B-6 |
For how long are BEA Bank-Certs valid? |
| |
|
| |
BEA Bank-Certs are valid for 1 year. |
| |
Top |
| |
|
| B-7 |
How often can I request
an extension or renewal of my digital certificate, and will the same
key be certified again? |
| |
|
| |
BEA Bank-Cert (Corporate) ---
There is no automatic renewal for Bank-Cert (Corporate). The process
of authentication will be the same as for a new application. |
| |
Top |
| |
|
| B-8 |
Can I change the information on a certificate? |
| |
|
| |
A digital certificate, once generated,
cannot be changed. If you have changed any information on the certificate
such as your name or your e-mail address, you must apply for a new
certificate. You should also revoke your existing certificate. |
| |
Top |
| |
|
| B-9 |
What are the key lengths supported by
Hongkong Post CA? |
| |
|
| |
Hongkong Post CA supports certificates
of any key length up to 2048 bits.
Hongkong Post CA root certificates have 2048-bit keys. |
| |
Top |
| |
|
| B-10 |
How do I retrieve a lost or accidentally
deleted Bank-Cert? |
| |
|
| |
If you lose your Bank-Cert
, you must revoke your certificate immediately. In case you have accidentally
deleted your certificate, you simply need to import the certificate
from your back-up copy. If you do not have a back-up copy, you must
submit a new application. |
| |
Top |
| |
|
| B-11 |
Why is it important to make a back-up
copy of my Bank-Cert? |
| |
|
| |
If you lose your certificate, and you do
not have a back-up copy, you will lose access to all your old encrypted
messages (as you will not have your private key which you need to
decrypt these messages). It is absolutely essential, therefore,
that you make a back-up copy of your certificate. |
| |
Top |
| |
|
| B-12 |
What are the authentication procedures
for Bank-Cert? |
| |
|
| |
Details of authentication procedures are
available from the Hongkong Post Certification Practice Statement
at www.hongkongpost.gov.hk.
|
| |
Top |
| |
|
| B-13 |
Where I can find the terms and conditions
governing the use of BEA Bank-Cert? |
| |
|
| |
The Subscriber Agreement and
the Certification Practice Statement, which can be obtained at any
Post Office counter, show all details of the terms and conditions
governing the use of BEA Bank-Cert . The Certification Practice Statement
can also be viewed at Hongkong Post CA web site at www.hongkongpost.gov.hk
<http://www.hongkongpost.gov.hk/>. |
| |
Top |
| |
|
| B-14 |
Hongkong Post Bank-Cert (Bank of East
Asia - Corporate) - Customer Service Hotline Information. |
| |
|
| |
If you have any enquiries about the BEA
Bank-Cert application, please contact our Registration Authority Centre:
|
| |
Hotline Number: 3608 2513
Service Hours: |
| |
Monday to Friday 9:00 a.m. to 5:00 p.m.
Saturday 9:00 a.m. to 1:00 p.m. |
| |
In addition, your Authorised Representative (AR) and Subscriber can
send their enquiries, suggestions or complaints to Hongkong Post Certification
Authority Centre directly by: |
| |
Mail to: Electronic Services Division, Kowloon East Post Office
Box 6877
Telephone: 2921 6633
Fax: 2775 9130
E-mail: enquiry@hongkongpost.gov.hk
|
| |
Top |
| |
|
| D. CENTRAL KEY GENERATION
SERVICE FOR BANK-CERT |
| |
|
| D-1 |
What is Central Key Generation Service
and how does it work? |
| |
|
| |
A Subscriber may generate the key pair
by himself/herself. Alternatively, Hongkong Post provides a Central
Key Generation Service on behalf of the Subscriber. If Subscribers
choose to opt for this service, Subscribers agree to delegate the
key pair generation and certificate creation to Hongkong Post personnel.
Hongkong Post will notify and seek the Subscriber's confirmation through
the Internet as to the accuracy of the certificate contents prior
to such generation and creation. The whole process is performed in
a trustworthy manner and environment within Hongkong Post's premises
to avoid the certificate from being tampered with. The generated certificate
file will be stored in a floppy disk and delivered to the Subscriber
in a specified a manner as provided for in the application form. |
| |
Top |
| |
|
| D-2 |
Is Central Key Generation Service applicable
to all types of Bank-Cert? |
| |
|
| |
The Central Key Generation Service is applicable
to Bank-Cert (Corporate). Subscribers who opt for this service should
make the request and specify the collection/delivery arrangement at
the time of application. |
| |
Top |
| |
|
| D-3 |
Do subscribers have to pay additional
service charges? |
| |
|
| |
No additional fee will be charged for this
Central Key Generation Service. However, prepayment of postage at
prevailing rate shall be collected from subscribers at the time of
application if they request the generated Bank-Cert file to be delivered
by Local Courierpost. |
| |
Top |
| |
|
| D-4 |
How to collect the Bank-Cert files created
under the Central Key Generation Service? |
| |
|
| |
For Bank-Cert (Corporate), the Bank-Cert
file created under the Central Key Generation Service have to be collected
by the organisation's authorised representative (or other personnel
as delegated by the authorised representative) from the designated
BEA branch as specified in the Bank-Cert application forms. For Bank-Cert
(Corporate) certificates, subscribers may choose to collect the Bank-Cert
files in one of the following manners: |
| |
|
(a)
|
By Recorded Delivery, or |
| |
|
(b)
|
By Local Courierpost. |
| |
Top |
| |
|
| D-5 |
Are there any protective measures to
safeguard the private key of the Bank-Cert created under the Central
Key Generation Service? |
| |
|
| |
Hongkong Post does NOT keep copy of the
private key. The floppy disk containing the Bank-Cert and the key
pair is protected by a 16-digit PIN which is separately handed-over
to the subscribers at the time of application. This PIN will also
be required when importing the Bank-Cert into the Internet browser
by the subscriber. |
| |
Top |
| |
|
| D-6 |
Which versions of Internet browser can
the Bank-Cert file generated under the Central Key Generation Service
work with? |
| |
|
| |
The Bank-Cert file generated under the
Central Key Generation Service can work with the following Internet
browsers: |
| |
|
¡P
|
Netscape Navigator v4.08 / Communicator
v4.5 or above with Bank-Cert Software (Netscape User Part) installed
|
| |
|
¡P
|
Internet Explorer v5.01 or above with a
128-bit high encryption module |
| |
Top |
| |
|
| D-7 |
Is there any tool or program that can
be used to change the password of the Bank-Cert file? |
| |
|
| |
For a quicker and easier way
in changing the password of the Bank-Cert file, a "Change Password
Program" is available for downloading from Hongkong Post CA web
site at <http://www.hongkongpost.gov.hk/6support/s6_fr.html>
(for English web page) or <http://www.hongkongpost.gov.hk/chi/6support/s6_fr.html>
(for Chinese web page). After downloading and simple installation,
the program can then be ready for use. |
| |
Top |
| |
|
| D-8 |
Is there any restriction in using the
"Change Password Program" software? |
| |
|
| |
The "Change Password Program"
software is designed for use by the Subscribers of Bank-Cert in changing
the password of the Bank-Cert file that is created and saved on a
floppy disk through the central key generation service. It can only
work in MS Windows 95, MS Windows 98 and MS Windows NT platform. |
| |
Top |
| |
|
| D-9 |
How does the "Change Password Program"
work? |
| |
|
| |
The "Change Password Program"
is a window-based software. It can facilitate the Subscriber to change
the password of the Bank-Cert file easily. If successful, the Bank-Cert
file in the same floppy disk will embed with the new password. |
| |
Top |
| |
|
| E. TECHNICAL ISSUES |
| |
|
| E-1 |
System Requirements |
| |
|
| |
The minimum system requirements
are: |
| |
¡P
|
Pentium 133 or above (or compatible) with
32 MB RAM |
| |
¡P
|
Windows 95, Windows 98 or Windows NT |
| |
¡P
|
Netscape Navigator 4.08 / Communicator
4.5 (or above) or Microsoft Internet Explorer 5.01 with 128 bit high
encryption (or above) |
| |
¡P
|
Hard disk free space : 100 MB |
| |
Top |
| |
|
| E-2 |
How do I know that my Bank-Cert certificate
is properly installed? |
| |
|
| |
For Netscape Users: |
| |
1.
|
Open your Netscape browser; |
| |
2.
|
Click on the security icon (the one that
looks like a padlock) from the main toolbar; |
| |
3.
|
Select Certificates > Yours from the
menu on the left. Verify that your new Bank-Cert is listed in the
personal certificates display. |
| |
4.
|
To view your Bank-Cert particulars, select
it (Bank-Cert) and then click the 'view' button.
|
| |
Top |
| |
|
| E-3 |
What should I do if my PIN does not
appear to work? |
| |
|
| |
You must type the PIN correctly,
making sure that: |
| |
1.
|
the PIN includes all 16 digits, |
| |
2.
|
there are no spaces before, after, or within
the PIN |
| |
If the problem persists, please contact
the Hongkong Post CA Enquiry Hotline at 2921 6633. |
| |
Top |
| |
|
| E-4 |
Why I am getting an 'Expired Certificate'
message shortly after downloading it? |
| |
|
| |
This could happen because the
system time of your PC is slower than that of our CA system. Our CA
system uses the Global Position System (GPS) clock to stamp the certificate.
To avoid this, all you need do is to wait for a while or correct your
system clock. |
| |
Top |
| |
|
| E-5 |
I have deleted my Netscape Navigator
and installed the latest version. How do I reinstall my digital certificate? |
| |
|
| |
If you have removed your old
copy of Netscape Navigator, you have also deleted the file that contains
the private key associated with your Bank-Cert. Without that private
key or a back-up copy, you cannot reinstall your Bank-Cert. You need
to apply for a new one.
Upgrading Navigator by using the Netscape installer preserves your
personal information, including your Bank-Cert and private key. In
future, whenever you need to upgrade Navigator, you should use this
installer. |
| |
Top |
| |
|
| E-6 |
How do I get 128-bit / full-strength
sessions? |
| |
|
| |
Firstly, when you hear people speak of a 128-bit or 40-bit connection,
they are referring to the "session key". This is a symmetric
key created by the browser when it connects to the server that is
used to encrypt AND decrypt data (transmitted to and from the server)
after the initial browser/server "handshake".
If your server supports full-strength sessions and the browser connecting
to your site supports 128 bits, then a 128-bit session key will
be created and used.
Browsers that have been exported from the United States are limited
to creating 40-bit session keys. Browsers that have been distributed
within the US or manufactured by companies outside the US can create
128-bit session keys and thus connect to similarly manufactured
and distributed servers in full-strength crypto.
Outside the US, certain financial institutions and governmental
organisations can apply for a Global Server Certificate, sometimes
referred to as a "Step-up Server Certificate". Having
one of these certificates installed on a server will guarantee a
128-bit connection with any browser, regardless of whether it is
an "export" or "domestic" version.
|
| |
Top |
| |
|
| F. REVOCATION OF CERTIFICATES |
| |
|
| F-1 |
How do I revoke my BEA Bank-Cert? |
| |
|
| |
A subscriber may submit a request
to revoke her/his certificate at any time for any reason.
Revocation requests can only be made by the following methods: |
| |
1.
|
Sending a certificate revocation request
by fax to HKP directly (HKP Fax No.: 2775 9130) and the original of
the revocation request by post. |
| |
2.
|
Sending a certificate revocation request
by letter to Hongkong Post CA, PO Box 68777, Kowloon East Post Office.
|
| |
3.
|
Sending a digitally signed e-mail to enquiry@hongkongpost.gov.hk |
| |
4.
|
Showing a revocation request in person
at any post office or BEA Branch with the same signature as on the
original application form. |
| |
Suspensions and revocations
of certificates will be effective only after they have been published
in the Certificate Revocation List (CRL).
Organisational Certificate Revocation Request
An organisational certificate can be revoked by : |
| |
1.
|
A person nominated as an Authorised Representative
for the organisation, whose signature appears on the application form
as the authorised signature at the time of application, or; |
| |
2.
|
The person whose name appears
on the certificate as the subscriber of that certificate. |
| |
Acknowledgement to the Subscriber/Authorised Representative
Based on a request by fax to Hongkong Post, HKP will place a "hold"
on the certificate, which effectively suspends, but does not revoke
the certificate. The subscriber then has to send his/her original
of the revocation request to Hongkong Post to complete the revocation
process. In-person or digitally signed requests will be processed
directly as immediate revocations without the "hold" procedure. Hongkong
Post will endeavour to issue a Notice of Revocation to such subscribers
within one week following the request for revocation.
Business Hours for Processing Revocation Requests |
| |
|
Monday to Friday 09:00 a.m.
to 5:00 p.m. |
| |
|
Saturday 09:00 a.m. to 12:00 noon |
| |
|
Sundays & Public Holidays 09:00 a.m.
to 12:00 noon (Hongkong Post only) |
| |
On any weekday on which a
tropical cyclone warning signal no. 8 (or above) or a black rainstorm
warning signal is hoisted, Hongkong Post Certificate Authority will
open at the usual time if the signal is lowered at or before 6 a.m.
that day. If the signal is lowered between 6 a.m. and 10 a.m. or at
10 a.m., Hongkong Post Certificate Authority will open at 2:00 p.m.
on any weekday, other than on a Saturday, Sunday and public holiday.
Service Pledge and Certificate Revocation List Update |
| |
1.
|
Hongkong Post will exercise
reasonable endeavours to see that within 2 working days of (1) Hongkong
Post receiving a revocation request from the Subscriber or (2) In
the absence of such a request, the decision by Hongkong Post to suspend
or revoke the certificate, the suspension or revocation is posted
to the Certification Revocation List. |
| |
2.
|
However, a Certificate Revocation
List is not published in the directory for access by the public following
each certificate revocation. Only when the next Certificate Revocation
List is updated and published will it reflect the revoked status of
the certificate. [Certification Revocation Lists are published daily
and are archived for 7 years.] |
| |
For the avoidance of doubt, all Saturdays,
Sundays, public holidays and for all weekdays on which a tropical
cycle and rainstorm warning signal is hoisted, are not working days.
|
| |
Top |
| |
|
| F-2 |
Why do I need to revoke my certificate
before it expires? |
| |
|
| |
We strongly recommend that you revoke (cancel)
your certificate if you suspect that your private key has been compromised,
or you no longer wish to participate in the Hongkong Post Public Key
Infrastructure. |
| |
Top |
| |
|
| F-3 |
How can I verify the status of my revoked
certificate? |
| |
|
| |
You can verify the status
of your revoked BEA Bank-Cert by pulling down the entire Hongkong
Post CA Certification Revocation List (CRL) from the directory server
at ldap.hongkongpost.gov.hk, which is updated everyday. The CRL on
the directory server can only be read by using the LDAP protocol and
you need a client software with LDAP capability, for example, the
Crypto Tools bundled in the Bank-Cert Customer Kit. Alternatively,
you can go to our web site and access the CRL at the following URL
: www.hongkongpost.gov.hk/crl/eCert.crl
<http://www.hongkongpost.gov.hk/6support/www.hongkongpost.gov.hk
/crl/eCert.crl>. For users of Microsoft Windows with Internet
Explorer 5.0 or above, when your open the eCert.crl file, there will
be a CRL pop up screen showing the list of revoked certificates in
certificate serialnumber order. You may then locate the certificate
by the certificate serial number. Please note that the revocation
status of expired certificates will not be published in CRL. |
| |
Top |
| |
|
| G. DELETION AND RECOVERY
ISSUES |
| |
|
| G-1 |
Is there any way to recover my BEA Bank-Cert
if my hard drive has crashed? |
| |
|
| |
A hard drive crash may delete the certificate
in your computer. Once it has been lost, there is no way to retrieve
it. You will first need to revoke your certificate, then enrol for
a new one. You may also restore your back-up copy and import this
copy into your browser. |
| |
Top |
| |
|
| G-2 |
What should I do if my computer has
been stolen together with my certificate? |
| |
|
| |
As your digital certificate is protected
by a password, it is unlikely that anyone else will be able to use
it to impersonate you. However, we strongly advise you to revoke your
certificate immediately if your computer has been stolen and then
enrol for a new one |
| |
Top |
| |
|
| G-3 |
Should I delete my expired or revoked
Bank-Cert? |
| |
|
| |
You should not delete your
expired or revoked Bank-Cert. By deleting a certificate, you will
no longer have access to the public key associated with it and it
will therefore no longer be possible to read encrypted messages with
it. |
| |
Top |
| |
|
| H. BACK-UP AND TRANSFER
OF CERTIFICATE |
| |
|
| H-1 |
How do I save a back-up copy of my digital
certificate? |
| |
|
| |
Each browser has its own back-up procedures.
For Netscape Users : |
| |
1.
|
Click on the security icon
(the one that resembles a padlock) from the main toolbar, |
| |
2.
|
Select Certificates >
Yours from the menu on the left, |
| |
3.
|
Select the Bank-Cert you intend to save
and click Export, |
| |
4.
|
You will be prompted to choose a transport
password which you will be asked for when importing or opening this
copy of your Bank-Cert. Click OK, |
| |
5.
|
Select a location (such as your floppy
disk) and file name in which to save your Bank-Cert. Click Save, |
| |
6.
|
Protect your floppy disk or other media
and your transport password in a secure manner. |
| |
|
| |
For Internet Explorer Users: |
| |
1.
|
In your Internet Explorer browser, Click
Tools from the pull-down menu and select Internet Options. |
| |
2.
|
In the Internet Options window,
click on the tab Content and select Certificates. |
| |
3.
|
Select the Personal tab and click
on the certificate to be exported. Then click on Export button. |
| |
4.
|
The Certificate Manager Export Wizard pops
up. Read the information provided therein and click on Next
button. |
| |
5.
|
Now you have to indicate if you want to
export the private Key with your certificate. Select Yes, export
the private key and click the Next button. |
| |
6.
|
Check the option Include all certificates
in the certification path if possible. |
| |
7.
|
Uncheck the option Enable
strong protection (requires IE 5.0, NT 5.0 or above) if you will
use the exporting file on applications other than IE 5.0 or above.
|
| |
8.
|
Click the Next button. |
| |
9.
|
Type in a password no less than 8-character
length (you may select a new password if you wish) to protect the
.PFX file. Then click Next |
| |
10.
|
You must now decide where to save the .PFX
file. Locate and choose a directory for this file. Type a friendly
name in the File name box. Click Next. |
| |
11.
|
In the popup, Export Wizard Window, Click
Finish. |
| |
12.
|
Export is complete and click OK
button. |
| |
Top |
| H-2 |
How do I transfer my digital certificate
to a new computer? |
| |
|
| |
The first step for transferring
your Bank-Cert is to save ("Export") it from the computer's
hard drive onto a floppy disk or other transfer medium. When your
Bank-Cert has been successfully exported, you can then import it into
the new computer. To import your Bank-Cert into Netscape Navigator
: |
| |
1.
|
Click on the security icon (the one that
looks like a padlock) from the main toolbar, |
| |
2.
|
Select Certificates > Yours from
the menu on the left, |
| |
3.
|
Select Import, |
| |
4.
|
You will then be prompted to
give the password you will use to protect your Bank-Cert, |
| |
5.
|
Locate your Bank-Cert from the floppy disk
or other medium used to back up your Bank-Cert (it should have a .p12
extension). Highlight it and click Open, |
| |
6.
|
Enter your transport password and click
OK. |
| |
|
| |
To import your Bank-Cert into
Internet Explorer : |
| |
1.
|
In your Internet Explorer browser, Click
Tools in the pull down menu and select Internet Options.
|
| |
2.
|
In the Internet Options window that
pops up, click on the tab Content and select Certificates.
|
| |
3.
|
Select the Personal tab and Click
on Import button. |
| |
4.
|
The Certificate Manager Import Wizard pops
up. Read the information provided therein and click on Next
button. |
| |
5.
|
You have to select the file to be imported.
Click on Browse button and select the location and filename
to be imported. If you are importing PKCS#12 certificate file produced
by Bank-Cert Central Key Generation, or exported from other applications
which use .P12 file extension, you need to click the Browse button,
change the Files of type to All Files (*.*) in the Open window
and then select the required .P12 file. |
| |
6.
|
Click Next button. The
system will then prompt you to enter the password. The password used
while exporting the file has to be used here. Check on box Enable
strong private key protection. If you want to export the certificate
sometime in the future, check on box Mark the private key as exportable
as well. |
| |
7.
|
Key in the password and click Next
button. |
| |
8.
|
Selecting a store for the Certificate :
Select the first option for the system to Automatically select
the certificate store based on the type of certificate. Click
on the Next button. |
| |
9.
|
The Certificate Manager Import Wizard finishing
screen appears. Click on the Finish button. The Private Key Container
screen will appear. Microsoft Internet Explorer stores your key pair
and Bank-Cert Certificate details in the Private Key Container. Hence
in the following steps, you are required to choose the security level
and provide a profile/username and password to be stored for identification
and access permissions. |
| |
10.
|
Click Set Security Level button.
|
| |
11.
|
Select High security level (default
set to medium). Click Next button. |
| |
12.
|
The Private Key Container
window now seeks a password to protect the key pair.
If any profiles are created earlier, you may select the option Use
this password to access this item and select the appropriate profile
from the dropdown list.
If you are using a newly installed Microsoft Internet Explorer or
if you have not created any profile before, select the option Create
a new password for this item and key in a name and password for
the new profile. |
| |
13.
|
Click Finish button. |
| |
14.
|
Key in the Private Key Container password
again and click OK button. |
| |
15.
|
If the PKCS#12 file contains the Root CA
certificate, a pop-up window will be displayed to re-confirm the storing
of the Hongkong Post Root CA certificate in the Root Store of Internet
Exporer. Click Yes to continue. This window will not pop up
if the root CA certificate has already been installed in the browser. |
| |
16.
|
Click on OK button and close the
Certificate Manager wizard and the Internet Options windows. |