Hi, Lambert.
Thank you very much for your report. I will be responding to this incident on behalf of SHECA. SHECA is currently conducting an internal investigation and will respond to this matter as soon as possible. Best Regards, On Thursday, October 2, 2025 at 7:35:24 AM UTC+8 Lambert Evans wrote: > Hi all, > > I have been doing some research recently and discovered a Chinese company > offering various online tools for SSL certificates. Among which, I noticed > its CSR generation tool and it reminded me of the discussions the community > had before on certificate resellers and key security. > https://groups.google.com/g/mozilla.dev.security.policy/c/Xio6mrdxp2M/m/m38TJkblAgAJ > > This vendor provides CSR creation tool with two methods, online generation > and browser generation. However, I'm not yet pretty sure about its > implementation details and whether they will store the private keys > generated. > > CSR Creation Tool: > > https://tools.imtrust.cn/#/cert-utils/csr_create.html > > [image: d9d56a064ef74ec2a05207cce68f9901.png] > > Online Toolbox: > > https://tools.imtrust.cn/#/home > > [image: d4e2ba3d71184225a61456e2b980bf44.png] > > I further checked the domain imtrust.cn and discovered an SSL online > purchase platform https://order.imtrust.cn/ under this domain. And the > vendor was found to be SHECA, a trusted CA and full member of CABF. > > It shows that, the order placement page also offers the option of CSR > online generation. https://order.imtrust.cn/ > > [image: IMG_20251002_072154.png] > > This situation might be different from the previous discussion on reseller > generating key pairs on behalf of end customers. Because SHECA is operating > as a CA and offers CSR online generation tool. > > I'm not sure whether this site has been included into the audit scope and > whether its operation and data protection schemes have been propoerly > reviewed. It is also not clear that whether this practice violates the > requirements of BR 6.1.1.3. > > I'd like to discuss this situation together and also request SHECA to > provide a response regarding this matter. > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/45b3a338-a2f7-46c2-b46f-5fea5de33e4fn%40mozilla.org.
