Announcement Regarding SHECA's Replacement of Some Subscriber Certificates

All timestamps are Beijing time (UTC+8)

To all relevant entities and subscribers:

Per discussions within the International CA/B Forum community regarding SHECA's certificate application API, SHECA has deactivated the following APIs due to security risks: the online CSR generation API (/open-api/v2/tools/gen-csr, deactivation date: October 9, 2025, 24:00); and the certificate download API (/open-api/v2/order/download-zip and /openApi/v1/order/getCertInfo, deactivation date: October 7, 2025, 24:00). To align with the CA/B Forum Baseline Requirements and SHECA's latest TLS CP/CPS requirements, SHECA has decided to revoke and replace certificates issued or downloaded through these APIs.

Affected Certificates: Certificates issued by the "Xinnet DV SSL" and "Xinnet OV SSL" intermediate roots, as well as certificates applied for through Mobile Cloud, that are still valid as of October 9, 2025, 24:00.

Solution: SHECA plans to revoke the affected certificates before midnight on October 13, 2025, and reissue a new certificate to replace the original one. SHECA will respond to this incident in accordance with the "Massive Revocation Event Preparation and Testing Plan v1.1." For details, please refer to:

https://assets-cdn.sheca.com/documents/Mass%20Revocation%20Incident%20Preparation%20and%20Testing%20Plan%20v1.1.pdf

Note: Subscribers are requested to deactivate the private key associated with the original certificate and not use the CSR corresponding to this private key to apply for any certificate on any platform.

Contact Information

Shanghai Electronic Certification Authority Co., Ltd.

Address: 18th Floor, Jiajie International Plaza, 1717 North Sichuan Road, Shanghai, China

Postal Code: 200080

Tel: 86-21-36393197

Email: report@sheca.com

Shanghai Electronic Certification Authority Co., Ltd.

October 10, 2025