HARICA: Continued issuance and refusal to revoke DV TLS certificates for EU-sanctioned blocked entities

A reporter audited HARICA-issued active public TLS certificates and filed Certificate Problem Reports (CPRs) to HARICA’s compliance/support team for certificates issued to domains associated with EU-sanctioned blocked entities under EU Council Regulation (EU) No 269/2014. The reporter states that HARICA formally refused to revoke the reported certificates and closed the CPRs, asserting the certificates are DV (Domain Validated) Server TLS certificates and that DV certificates “do not require any additional vetting” beyond domain control confirmation. The reporter lists specific still-active domains/certificates (including sberbank.com, vtb.com, and wildcard domains such as *.kamaz.ru, *.veb.ru, and *.dialog.info) and argues HARICA is in violation of EU law and must immediately revoke the certificates. A participant comment supports the view that HARICA needs to handle the issue and notes that similar DV incidents have been discussed previously on Bugzilla. The bug remains in ASSIGNED status, with no resolution stated in the provided thread.

1. 2026-06-22 Reporter filed CPRs to HARICA requesting revocation of specific HARICA-issued DV TLS certificates for EU-sanctioned blocked entities.
2. 2026-06-22 HARICA refused to revoke the reported certificates and closed the CPRs, stating the certificates are DV and require no additional vetting beyond domain control.

1. 2026-06-22 g6h6m238929@gmail.com — Created the case with attachments and stated that HARICA refused to revoke the CPR-reported DV TLS certificates and closed the reports with a copy-paste statement explaining its rationale.
2. 2026-06-22 g6h6m238929@gmail.com — Added additional certificate-related attachments for other reported domains.
3. 2026-06-22 g6h6m238929@gmail.com — Added more certificate-related attachments for additional reported domains.
4. 2026-06-22 g6h6m238929@gmail.com — Added more certificate-related attachments for additional reported domains.
5. 2026-06-22 rdaurne77@gmail.com — Commented that HARICA needs to handle the issue, that baseline requirements still apply even if not explicitly stated in CP/CPS, and referenced a similar DV incident discussed on Bugzilla.