''(a.k.a. "Issue 2")''
In July 2016, it became clear that there was some problems with the StartEncrypt automatic issuance service recently deployed by the CA StartCom. This was a StartCom-branded service and was not publicised as being able to issue certificates from WoSign. However, changing a simple API parameter in the POST request on the submission page changed the intermediate/root certificate to which the resulting certificate chained up. The value "2" made a certificate signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free SSL Certificate G2" and "0" selected "CA 沃通根证书", another root certificate owned by WoSign and trusted by Firefox.
Using A security investigator used the value "1" led to a certificate , and acquired two certificates which had a notBefore date dates (usage start date) of 20th December 2015, and which was were signed using the SHA-1 checksum algorithm. (XXX To investigate[https://crt.sh/?q=30741722 Cert 1], [https: did the chain contain some SHA-256 certs//crt.sh/?)id=30741724 Cert 2].
* The issuance of certificates using SHA-1 has been banned by the Baseline Requirements since January 1st, 2016. Browsers, including Firefox, are enforcing this - in Firefox's case, for publicly-trusted CAs, since [https://bugzilla.mozilla.org/show_bug.cgi?id=1254667 Firefox 48], released on 1st August 2016.
* The issuance of backdated certificates is not forbidden, but is included in [https://wiki.mozilla.org/CA:Problematic_Practices#Backdating_the_notBefore_date Mozilla's list of Problematic Practices]. It says "Minor tweaking for technical compatibility reasons is accepted, but backdating certificates in order to avoid some deadline or code-enforced restriction is not."