North Korea Has 9 SSL Certificates. The US Has 62 Million. The Real Story Is Not a Digital Divide

The headline numbers are real and sourced. The conclusion most coverage draws from them is wrong. North Korea’s near-absence from global SSL certificate counts is overwhelmingly a function of US export sanctions law, not a story about technology adoption, encryption literacy, or digital infrastructure sophistication. This article presents the verified numbers and explains what they actually measure.

The Verified Numbers

According to BuiltWith data cited in SSL Dragon’s January 2026 SSL statistics report, the United States leads global SSL certificate counts with over 62 million detected certificates. Germany follows in second place with approximately 4.7 million. North Korea sits at the opposite extreme: only 9 valid SSL certificates were detected for the entire country.

These figures are real and the disparity is dramatic. A 6.9-million-to-1 ratio between the top country and the bottom is a genuinely striking number. The question worth asking is what produces it.

What Country-Level Certificate Counts Actually Measure

BuiltWith and similar web technology detection services count certificates associated with websites and IP addresses geolocated to a given country, typically through crawling the visible web and matching certificate Subject or SAN fields to country-coded domains and hosting locations. This measures detectable, publicly crawlable web infrastructure associated with a country. It does not measure:

• The proportion of a country’s existing websites that use encryption (a percentage adoption rate)
• Individual citizens’ access to or use of encrypted services like banking, email, or messaging apps, most of which are hosted on infrastructure in other countries (US, EU) regardless of where the user lives
• Government, military, or private network encryption infrastructure not visible to public web crawlers

A country with very few domestically hosted websites will show very few certificates in this measurement, regardless of how its citizens access encrypted services elsewhere. This is the first reason the raw count is a measure of hosted web infrastructure volume, not encryption sophistication.

The North Korea-Specific Factor: This Is a Sanctions Story

For North Korea specifically, there is a second and more decisive factor: it is illegal for major US-based Certificate Authorities to issue SSL certificates to entities in North Korea. GoDaddy’s own published certificate issuance policy explicitly lists North Korea alongside Cuba, Iran, Sudan, and Syria as countries where secure certificates of any type cannot be issued to individuals or business entities. The same policy explicitly states that secure certificates cannot be issued for websites using the .kp country-code top-level domain.

This is not a GoDaddy-specific policy choice. It reflects compliance with US export control law (administered by the Office of Foreign Assets Control, OFAC) that applies to any US-domiciled company, including the certificate authorities that issue the overwhelming majority of the world’s SSL certificates. Let’s Encrypt, GoDaddy, Sectigo, and DigiCert collectively account for the large majority of global certificate issuance, and all are subject to the same US sanctions compliance framework.

The structural conclusion: even if North Korea had a robust domestic web ecosystem with thousands of sites wanting HTTPS encryption, the dominant global CAs are legally barred from serving them. The 9-certificate figure reflects what a small number of non-US-restricted CAs, or pre-sanctions historical issuances, or unusual circumstances produced, against a backdrop where the normal commercial path to obtaining a certificate is closed by law rather than by choice or technical capacity.

Country Comparison: What the Numbers Show With Context

Note the UK row specifically: different sources report meaningfully different figures for the same country (3 million in one 2025 dataset, 5.36 million in a 2022 BuiltWith snapshot, 4.7 million cited elsewhere without a clear date). This inconsistency across sources is itself informative: country-level certificate counting is not a standardized, continuously tracked metric with a single authoritative source. Any single figure should be treated as directionally indicative rather than precise.

The More Interesting Story: Three Companies Control the Encrypted Web

If the goal is to find a genuinely surprising concentration story in SSL certificate data, the country-level comparison is less compelling than the certificate authority-level comparison. According to SSL Dragon’s January 2026 report, 93% of all detected SSL certificates as of January 2026 come from just three providers.

• Let’s Encrypt: 73% of all certificates, reflecting its position as the default free, automated certificate provider for most web hosting platforms and content management systems
• GoDaddy: 62%, driven substantially by GoDaddy’s enormous base of hosted and parked domains rather than active commercial websites specifically choosing GoDaddy as a security provider
• Sectigo: 69%, the largest commercial-focused CA by volume among the top three

This concentration is a more structurally significant story than the country comparison. It means the trust infrastructure for the encrypted web, the systems that determine which organizations get verified and which certificates get issued under what rules, rests with a remarkably small number of organizations. A policy change, technical failure, or compliance issue at any one of these three providers has outsized consequences for the entire web’s certificate ecosystem. This concentration is precisely why events like the Entrust distrust of 2024 and the ongoing CA root migrations covered elsewhere on this site matter disproportionately: a small number of organizations control the infrastructure that the rest of the web depends on.

What Certificate Geography Means for an Actual Business

For a business operating in any country with normal access to international commerce and the internet, certificate geography is irrelevant to the security or cost of the SSL certificate they can obtain. A business in India, Brazil, Vietnam, or the United Kingdom has access to identical SSL/TLS technology, identical browser trust, and near-identical pricing as a business in the United States or Germany.

Sectigo PositiveSSL DV certificates from authorized resellers cost the same $4.99/year globally, regardless of the purchasing business’s country, as long as that country is not subject to specific export restrictions. OV and EV certificates require organizational validation, which works through the same CA/B Forum-defined processes globally. The certificate quality, encryption strength, and browser trust are identical regardless of which country issued the underlying domain or business registration.

The genuine divide that exists is between countries with normal access to the global commercial internet and the small number of countries subject to comprehensive export sanctions (Cuba, Iran, North Korea, Sudan, Syria, and at various points Russia for specific sanctions). For every other country, the SSL certificate market is genuinely global and accessible.

If your business operates internationally and you are unsure whether your specific country has any certificate issuance restrictions with a given CA, check that CA’s published country support list before purchasing. GoDaddy, SSL.com, and most major resellers publish explicit country eligibility lists. For the overwhelming majority of countries, certificate issuance works identically to issuance for a US-based business.

Frequently Asked Questions

Does this mean North Korean citizens have no access to encrypted internet connections at all?

This article addresses publicly detectable SSL certificate counts for North Korea specifically, which reflects the near-total absence of commercially issued, publicly trusted certificates for North Korean domains and infrastructure. It does not speak to North Korea’s internal network architecture, which operates largely isolated from the global internet through its own intranet system (Kwangmyong) separate from the certificate infrastructure discussed here. The certificate count metric is specifically about the publicly crawlable, internationally trusted web, which is a different question from a country’s internal network security architecture.

Why do different sources report such different certificate counts for the same country?

Country-level certificate counting methodologies vary by data provider, snapshot date, and what counts as ‘belonging’ to a country (certificates with that country code in the Subject field, certificates on IP addresses geolocated to that country, or certificates registered to domains with that country’s ccTLD). BuiltWith, the most commonly cited source, updates its dataset continuously, so figures cited from different months or years will differ. There is no single standardized, continuously authoritative source for this metric, which is part of why a single headline figure should be treated as illustrative of relative scale rather than as a precise, stable statistic.

Is the concentration of 93% of certificates among 3 providers a security risk?

It creates a structural concentration risk rather than a certificate-validity risk: the certificates themselves remain cryptographically sound regardless of which of the top three CAs issued them, since all are bound by the same CA/B Forum Baseline Requirements. The risk is operational and systemic: an outage, policy change, or trust store removal affecting one of the top three providers has an outsized impact on the web’s overall certificate ecosystem, simply because so much of the web depends on that one provider. This is the same dynamic that made the 2024 Entrust distrust and various CA root migrations significant industry events: when a small number of providers handle the overwhelming majority of issuance, their individual reliability becomes a systemic concern for the broader internet.