This guide is required if you are an FPS merchant using App-to-App payment, especially for HSBC merchants.
When Do You Need an e-Cert?
If you are integrating FPS App-to-App using a merchant-specific Universal Link, an e-Cert (server certificate) is required to secure the domain. This applies to banks such as HSBC, which operate in direct integration mode and require domain validation and organisation name matching.Important Notes for FPS App-to-App Certificate
FPS e-Cert Application Overview
CSR Generation Requirements
Before submitting the certificate application, generate a Certificate Signing Request (CSR). Example OpenSSL command:Parameter Breakdown
Notes
O=(organisation name) must exactly match the FPS payee name registered in the FPS Addressing Service.CN=(common name) is the domain name configured by QFPay.- Leave
OU=empty if no department is specified.
Documents Required
- Completed CPos Form 798F
- Business Registration (BR) copy
- Company Incorporation (CI) copy
- Domain ownership proof (invoice, DNS screenshot, or domain email confirmation)
Post-Issuance Responsibilities
Hongkong Post will send expiration reminders to the registered email 30 days and 14 days before expiry.
Merchants are responsible for timely renewal and notifying QFPay.
Merchants are responsible for timely renewal and notifying QFPay.
- Send the certificate (
.cer/.crt) and private key (.key) to QFPay Technical Support. - QFPay will complete backend setup for the FPS payment endpoint.
FPS Specification Reference
Section 6.9.2 — Certificate Validation Logic The payment app (e.g. HSBC app) validates that the Organisation Name (O) in the X.509 certificate matches the FPS payee name. The comparison is:- Case-insensitive
- Whitespace-insensitive

