Date: 6 July 2026
Updating e-Cert to comply with Microsoft Root Program Requirements
To comply with the Microsoft Root Program Requirements, which mandate that public S/MIME (“Secure/Multipurpose Internet Mail Extensions”) certificates must remain dedicated to email protection, Hongkong Post Certification Authority (HKPCA) will separate S/MIME (Secure Email) functions from our certificates and enhance our mailbox validation process.
Starting from 1 October 2026, HKPCA will implement the following changes:
- For e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment), new e-Cert with S/MIME functions will be issued for email protection. Existing e-Cert will continue support other purposes such as Client Authentication.
- For g-Cert (Individual) and g-Cert (Functional Unit), it will support S/MIME functions only.
- For e-Cert (Organisational Role) and other e-Cert, it will no longer support S/MIME functions.
In addition, the validity period of the following e-Cert will be adjusted to one year to enhance security. Details are as follows:
| Type of e-Cert | Existing Validity Period | New Validity Period |
|
A maximum of two years | One year |
# For usage other than S/MIME
* Newly issued from 1 October 2026 and supports S/MIME functions only
The maximum validity period of other e-Cert types remains unchanged.
The transition plan is arranged as follows:
| Date | Event |
| With immediate effect | New types and old types of trial e-Cert (Personal), e-Cert (Organisational), e-Cert (Encipherment), e-Cert (Organisational Role), g-Cert and their Trial Sub-CA certificates are available for testing upon request. |
| Starting from 1 October 2026 | For Secure Email Use: - e-Cert (Personal) with S/MIME Functions - e-Cert (Organisational) with S/MIME Functions - e-Cert (Encipherment) with S/MIME Functions - g-Cert (Individual) - g-Cert (Functional Unit) will be issued by the new Sub CA certificate “Hongkong Post e-Cert CA 2 – 26”. For usage other than Secure Email: - e-Cert (Personal) - e-Cert (Organisational) - e-Cert (Encipherment) will be issued by the reissued Sub CA certificate “Hongkong Post e-Cert CA 2 – 17”. - e-Cert (Personal) with "Mutual Recognition" Status - e-Cert (Organisational) with "Mutual Recognition" Status - e-Cert (Organisational Role) will be issued by the reissued Sub CA certificate “Hongkong Post e-Cert CA 2 – 15”. “Extended Key Usage” (EKU) field of e-Cert and Sub CA certificate will specify its dedicated certificate usage. e-Cert with both “S/MIME” and “Client Authentication” in the EKU field will CEASE to be issued. |
If you wish to apply for the above-mentioned types of e-Cert with existing certificate profiles and validity period before the effective date, please submit your application by the following deadlines to ensure that the applications can be processed before 1 October 2026:
- e-Cert (Personal): by 6:00 pm, 25 September 2026
- Other e-Cert: by 6:00 pm, 16 September 2026
Actions to be taken by e-Cert (Personal), e-Cert (Organisational), e-Cert (Encipherment) Subscribers
- Subscribers and relying parties should review as soon as possible their current use of the “S/MIME” and “Client Authentication” attribute in the EKU field in their systems and applications.
- Starting from 1 October 2026, Subscribers applying for e-Cert (Personal), e-Cert (Organisational), e-Cert (Encipherment) are required to select their intended use (i.e. S/MIME or Client Authentication) at the time of application.
Support Arrangements
Trial e-Certs and their respective Trial Sub CA certificates are available for testing upon request. To request trial certificates or enquire about this update, please call Hongkong Post Certification Authority e-Cert Customer Service at 2921 6633 or email to enquiry@eCert.gov.hk.




