Certificates for US sanctioned countries


Does Let’s Encrypt issue certificates for ccTLD domains of US sanctioned countries?

Most of the CAs in the industry refuse to issue certificates for US sanctioned countries (e.g. .ir is ccTLD for Iran and there is only a handful of issuers who accept .ir domains.)

What about Let’s Encrypt? Do you have such policies?

Install Let's encrypt on country .tld
Certificate revocation

i assume as they operate a CA, they’d have to follow similar rules too


We’re talking about this topic in the hope that the sanctions will not be an obstacle for providing certificates globally. Unfortunately, I don’t have anything definitive to say yet.


We are not planning to restrict issuance to any countries/ccTLDs as a whole. We will, however, be restricting issuance to various government owned and operated domains for the following five countries:

  • Iran
  • Sudan
  • North Korea
  • Cuba
  • Syria

This policy is based on an analysis of applicable U.S. laws and regulations with our legal team. We reserve the right to change this policy at any time to comply with applicable U.S. laws and regulations.


Really, Cuba is still on the list these days?


Yes. Some restrictions on Cuba have relaxed, others are still in place.


To note, General License D-1 Annex 11 provides authorization for export of SSL Certificate services to Iran, and GL D-1 §6, entitled “Publicly available, no cost services and software to the Government of Iran,” authorizes such items to Iranian government entities provided it is offered at no cost [1]. Sudan and Cuba are similar covered by License Exception ‘Consumer Communications Devices’ (EAR §740.19) [2]. Under the CCD, Cuban government and Communist party officials are not eligible end users, however, §§©(1)(iii) does permit not-for-cost information security software to be exported to Sudanese government entities. Crimea (absent from your list, but still broadly sanctioned) and Syria have older authorizations for personal communications services over the Internet offered at no cost (and I believe to non-governmental users), which would likely exempt the CA services, however, no such provisions exist for North Korea – so I would encourage Let’s Encrypt to exercise caution with regard to DPRK entities.

Neither GL D-1 nor the CCD permit exports to SDN entities, but that’s a fact of life that Let’s Encrypt would have to deal with more broadly than sanctioned countries, e.g. under the Russian sanctions program.

I am elated that Let’s Encrypt will play a role in providing certificates to individuals living under sanctions, as users are constantly subject to terminated SSL services for questionable reasons. If any further needs arise in providing services to such individuals, please be in touch.

[1] https://www.treasury.gov/resource-center/sanctions/Programs/Documents/iran_gld1.pdf
[2] https://www.bis.doc.gov/index.php/forms-documents/doc_view/986-740


I think the relevant document is (2) because even LE provide an service we talk about crypto stuff and
RSA2048 is equal to an symmetric cipher >64bit. So signing an CSR with an RSA key with an minimum
length >=2048 bit RSA mean you support that this individual or organization from an sanctioned country
can use it.
I think this could be an question even tricky to answer for lawyers and definitely not as easy as to say it is
free of fee. You should remember that crypto stuff is “officially” as strict export controlled as war weapons.


I think this could be an question even tricky to answer for lawyers and definitely not as easy as to say it is free of fee. You should remember that crypto stuff is “officially” as strict export controlled as war weapons.

Cryptography items are regulated as dual use items under the EAR, not as strictly military goods. The OFAC/BIS licenses pertinent to each country authorize their export both under Treasury sanctions programs and under Commerce export regulations.


Hello everyone
I am freelancer developer and live in an Iran.
I’ll work on a personal startup with subject of font and Webfont. my Domain is font-store.ir
I read all the conversations you’ve got. But I still do not understand. Can I use it or not.
please help me


As josh said if you are not government owned (or related) their should be no problem.


Can you issue certificate for .sy domain if the owner is a private company?


@AlkazazLouai, I think the answer is yes according to @josh’s previous statement. I can see that there are two recently-issued Let’s Encrypt certs for .sy domains:



Since @josh message a year ago on the restrictions on Cuba, has there been any progress? Do you still restrict the issuance? Thanks.


@jvb, I believe those restrictions apply only to government domains in Cuba. If you’d like, I can try to investigate whether there’s a possibility that that restriction will be removed in the future. (You can see on crt.sh that there have been a number of LE certs issues for various .cu sites.)


Is it in your hands to check it?

That would be great. It is actually hard to understand the scope and
interpretation of the US law regarding this issue, and a bit of openness
about how it should be interpreted would be very much appreciated (though
blockade and openness are kind of contradictory terms ;))


@jvb, I’ll investigate.


On February 18, 2016, we determined that U.S. law no longer prevented us from issuing to Cuban government entities. We immediately removed restrictions on issuance to the Cuban government.

Any Cuban entity on the U.S. Treasury Department’s Specially Designated Nationals (SDN) list would still be blocked, but we are no longer blocking issuance to the Cuban government in general.


Also, in case this wasn’t clear, there were never any restrictions on issuance to Cuban nationals or domains except for the Cuban government (now lifted) and Cuban entities on the SDN list (still in effect).


@jvb, I was mistaken in what I said before. Apparently Cuban government domains are permitted for issuance already due to a change in policy, and have been permitted for some time. You can see one issued cert for .gob.cu at