Banned Country List for SSL Certificates
Certain SSL certificate providers are unable to issue certificates to individuals or organizations based in specific countries or regions due to international trade restrictions, sanctions, and export control regulations. These restrictions are typically imposed by the U.S. government (OFAC — Office of Foreign Assets Control) and apply to Certificate Authorities headquartered in the United States.
Why Are Some Countries Banned?
SSL certificate providers that are based in or operate under U.S. jurisdiction must comply with U.S. export control laws and economic sanctions programs. These laws prohibit doing business with certain countries, territories, and specially designated nationals.
Commonly Restricted Countries
The following countries and regions are commonly restricted by major Certificate Authorities including DigiCert (which owns RapidSSL, GeoTrust, Thawte, and Symantec SSL brands) and Sectigo (formerly Comodo):
| Country | ISO Code |
|---|---|
| Cuba | CU |
| Iran | IR |
| North Korea | KP |
| Syria | SY |
| Sudan | SD |
| Crimea Region (Ukraine) | — |
Note: This list is subject to change as international sanctions are updated. Always verify current restrictions with your SSL certificate provider.
Additional Restrictions by Provider
DigiCert (RapidSSL, GeoTrust, Thawte)
DigiCert products including RapidSSL and GeoTrust may have additional country restrictions beyond the standard OFAC list. These restrictions apply to:
- The country listed in the CSR (Certificate Signing Request)
- The physical location of the organization requesting the certificate
- The billing address associated with the purchase
Sectigo (formerly Comodo)
Sectigo maintains its own restricted country list that generally aligns with U.S. sanctions but may include additional territories. Contact Sectigo directly for the most current list.
Let’s Encrypt
Let’s Encrypt, as a free and automated CA, generally does not restrict issuance based on country of origin, as the process is automated and does not involve financial transactions in the traditional sense.
What to Do If You Are Affected
If you are in a restricted country or your organization has ties to a restricted region:
- Check with your SSL provider for the most current list of restricted countries.
- Consider alternative Certificate Authorities that may not be subject to the same restrictions.
- Use Let’s Encrypt as a free alternative that generally does not enforce country-based restrictions.
- Verify your CSR details to ensure the country code in your CSR is accurate and reflects your actual location.
Impact on SSL Certificate Orders
If you attempt to order an SSL certificate and your country is on the restricted list:
- The order may be automatically rejected during the validation process.
- You may receive a notification that the certificate cannot be issued for your region.
- Funds will typically be refunded if the order is rejected for this reason.
Important Notes
- These restrictions are imposed by the Certificate Authorities, not by your hosting provider or registrar.
- Sanctions lists are updated periodically; always check the latest information.
- Using false country information in a CSR to circumvent restrictions is a violation of the CA’s terms of service and may have legal consequences.