Let’s Encrypt, the world’s largest free SSL/TLS certificate issuer and one of the key services behind today’s HTTPS web, has updated its Subscriber Agreement with new language requiring certificate applicants to confirm that they are not covered by comprehensive U.S. sanctions, export-control restrictions, or related prohibited-party rules.
This update is included in version 1.7 of the Let’s Encrypt Subscriber Agreement, dated June 4, 2026. The agreement sets the terms for requesting, accepting, and using SSL/TLS certificates issued by the Internet Security Research Group, the nonprofit behind Let’s Encrypt.
The key change is in Section 3.1, which outlines subscriber warranties. Subscribers must now confirm they are not located in, organized under the laws of, or ordinarily resident in a country or territory subject to comprehensive U.S. sanctions.
“You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.”
The clause also applies to prohibited or restricted parties under U.S. or other applicable sanctions and export-control laws. It further extends to individuals or entities owned, controlled by, or acting on behalf of such parties.
Practically, this update ties Let’s Encrypt certificate eligibility more directly to U.S. sanctions compliance. It covers both geographic restrictions for sanctioned jurisdictions and list-based restrictions for specific sanctioned parties.
OFAC, the U.S. Treasury office that administers sanctions, classifies programs as comprehensive or selective, using measures such as asset blocking and trade restrictions. Its public search tool checks names against U.S. sanctions lists, including the Specially Designated Nationals and Blocked Persons List.
Importantly, for Let’s Encrypt users, this change does not introduce a new technical certificate-validation process. The updated language is a legal warranty by the subscriber, not a public statement that Let’s Encrypt is automatically blocking all domains from certain country-code top-level domains.
The updated agreement also impacts certificate lifecycle responsibilities. If any warranties in Section 3.1 become untrue for an existing certificate, the subscriber must immediately request revocation. ISRG may also refuse certificate requests at its sole discretion, for any lawful reason.
For most users, this update will likely have no practical impact. For those connected to comprehensively sanctioned jurisdictions or listed parties, the new language makes the compliance requirement explicit in the agreement.
