Yesterday, DigiCert announced it would be acquiring Symantec’s “Website Security Solutions” divisionwhich is comprised of its Certificate Authority, SSL products, and IoT products. In all honesty, this is great news and seems to be well-received within the inner circles of the browser community. DigiCert will begin to validate and issue all certificates beginning on December 1st, 2017.
DigiCert will pay $950 million in cash up front and give Symantec a 30% stake in DigiCert’s common stock equity when the deal closes, which is expected by Q3 2018.
This is a major acquisition that will see two of the world’s largest CAs – Symantec, currently 2nd by market share of commercial CAs and 1st by revenue – join forces.
This does not automatically ‘dissolve’ Symantec’s issues with Google, Mozilla, and other browsers. The recently finalized plan, which will have Symantec’s current root certificates retired and replaced with a new infrastructure, still applies although the deadlines have been moved back in order to provide more adequate timeframes.
Symantec has been expected to announce a “Managed CA” partnership that would issue certificates for it in the interim period while its old roots were phased-out and its new roots are distributed to devices. Instead, rumors that Symantec was considering a sale of its Certificate Authority, that first broke in early July, turned out to be true.
This acquisition is perfectly timed, as Symantec was going to have to invest in and develop an entirely new PKI platform and infrastructure. That seemed like an impossible task within the proposed timelines. Instead, Symantec’s existing customers can now be assured of full browser compatibility and trust by eventually merging to DigiCert’s platform which is already widely used and trusted by the enterprise sector.
This is not DigiCert’s first foray into acquisitions. In 2015, DigiCert acquired the Cybertrust Certificate Authority from Verizon. Its management of Cybertrust has been highly regarded by those in the Web PKI field and held as an exemplary example of how to rehabilitate a CA. Symantec was involved in the largest CA acquisition back in 2010 when it acquired VeriSign. Both parties are extremely experienced and well-equipped to ensure a smooth transition for all.
Shortly after the announcement, DigiCert’s executive vice-president of emerging markets Jeremy Rowley posted to Mozilla’s Dev Security Policy mailing list, where Web PKI topics are discussed.
Rowley said:
“DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA agreement wherein we will validate and issue all Symantec certs as of Dec 1, 2017. We are committed to meeting the Mozilla and Google plans in transitioning away from the Symantec infrastructure. The deal is expected to close near the end of the year, after which we will be solely responsible for operation of the CA.”
The announcement has been well received by the community, who have great trust in DigiCert’s ability to meet the agreed upon transition timeline for Symantec’s root certificates.
All in all, this acquisition is the best case scenario for all parties involved; Symantec, DigiCert, Google, Mozilla, Chrome users, Firefox users, the browser & developer community, Symantec clients, partners, resellers, and sub-resellers. The SSL & PKI industry has an extremely bright future with a new leader at the helm.
