Why do SSL certificates have country codes (or other metadata)?

The reason certificates have the metadata they do is historical. Certificates are defined in the X.509 standard from the ITU-T. It is part of implementation of the X.500 standard, the Directory services. It’s also related to another standard called LDAP

These technologies were designed at the beginning of the internet (1988) and have a strong backing in the telephone networks.

The X.500 family of standards were created to facilitate directory services (think phone books). For these it makes sense to record where someone is located in order to tie some arbitrary data (like a phone number) to a physical location or name (like address and name of user).

These features are mainly still present for humans to use. Computers use other means to validate them (like OCSP and the older CRL; a valid period of time, as in not valid before and not valid after values; and trusted root certificates or CA’s, that vouch for the certificate used).

Nowadays there might be a legal requirement to fill in such data accurately but there is no technical reason to enter it aside from auditing and for use by humans.


Certificates don't have necessarily a country code set. I myself have several public certificates with no country code, which are signed without problems by Let's Encrypt. But if a certificate belongs to an organization it is pretty common to provide the actual information for this organization. For simple domain validated (DV) certificates these are purely informative only though.

With Extended Validation (EV) certificates this is different: the information shown in the certificate are checked by the CA to reflect the organization.