eMudhra emSign PKI Services : www Subdomain Inclusion in Certificate SAN via ACME Issuance Workflow

eMudhra Technologies Limited identified a misissuance incident where the ACME issuance workflow automatically included the www subdomain in the Subject Alternative Name (SAN) extension for certificates requested for base domains only. This behavior occurred without explicit subscriber authorization and was found to violate CA/Browser Forum Baseline Requirements. Following a customer inquiry, eMudhra revoked all 239 affected certificates and corrected the issue in their issuance pipeline. The incident was reported and a full analysis was conducted to ensure compliance moving forward.

1. 2026-05-02 Earliest affected subscriber certificate issued via ACME pipeline.
2. 2026-05-30 Customer complaint triaged; internal investigation initiated.
3. 2026-05-30 ACME www auto-addition logic was corrected.
4. 2026-06-02 Revocation of all 239 valid affected certificates completed.
5. 2026-06-09 Full Incident Report prepared and submitted.