>Before you stop reading because you don't trust a Chinese company for your website encryption please keep in mind that you don't have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn't contain any private information.
That's not really the reason we might not trust a CA. The CA needs to make assurances that it won't improperly sign certificates for an entity purporting to be the principal, e.g., DigiNotar. Maybe this CA has, but that's still a weak argument.
DigiNotar failed to disclose the known breach for 6 weeks (https://blog.mozilla.org/security/2011/09/02/diginotar-remov...) Whether it was incompetence, coercion, or complicity matters little. I still have my doubts that China provides a climate suitable to a properly functioning CA.
That's not really the reason we might not trust a CA. The CA needs to make assurances that it won't improperly sign certificates for an entity purporting to be the principal, e.g., DigiNotar. Maybe this CA has, but that's still a weak argument.