More Confusion for Symantec PKI Customers and Partners

When it was announced last week that DigiCert would be acquiring Symantec’s website security business and related PKI solutions, I instantly went into question mode…

• How does the “little guy (DigiCert)” make an acquisition this big?
• What is the long-term viability of the company with a $1+ BILLION investment?
• Can DigiCert integrate a much larger company into their business with minimal disruptions?
• How will DigiCert pick up the pieces with the Google and Mozilla distrust timeline still looming?
• How will DigiCert issue Domain Validated (DV) SSL Certificates for Symantec customers and partners when DV Certificates are not part of its portfolio today?
• What will be the impact on DigiCert’s infrastructure and operations to reissue and re-vet Symantec certificates and domains under the Google/Mozilla timeline?
• Google asks: In light of DigiCert’s acquisition of Symantec’s PKI business and Symantec’s substantial equity investment in DigiCert, can you explain how you believe selecting DigiCert as the Managed CA Partner meets the stated requirement of being an independent and non-affiliated organization?
• What’s the strategy with Thoma Bravo (DigiCert’s primary investor) leading the acquisition?

These are just a few of the many questions that I had when the news broke. And, I’m sure many of you as Symantec customers and partners had similar thoughts. I will address these questions as I break down the facts of the acquisition and what we know below.

Anatomy of the Acquisition

Under the pressure of Google, Symantec had to make a move. The company basically had limited choices: one being to establish a relationship with a Managed CA before the December 1, 2017 deadline or another being to sell the business unit off. As we are all now aware, they chose to sell and make the Google distrust issue somebody else’s problem. Here are the facts of the acquisition from the Symantec/DigiCert press release:

• DigiCert will acquire Symantec’s Website Security and related PKI solutions.
• Under terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30% stake in the common stock equity of the DigiCert business at the closing of the transaction.
• The transaction, which has been unanimously approved by the Symantec Board of Directors, is expected to be completed in the third quarter of fiscal 2018, subject to the satisfaction of the customary closing conditions.
• Thoma Bravo is the private equity firm that has backed DigiCert since 2015.

The facts we know about Symantec, DigiCert and Thoma Bravo:

• Revenue in fiscal year 2017 from Symantec’s Website Security and related PKI solutions business was reported to be $350 million.
• Original acquisition cost of the VeriSign Authentication Services Business by Symantec was $1.28 billion.
• DigiCert revenues as reported in the 2014 Fastest Growing Companies in Utah by UtahValley360 were $45 million.
• In 2017 Computerworld Best Places to Work in IT report, DigiCert had a total of 225 U.S.-based employees.
• Thoma Bravo is a very successful and well respected private equity and growth capital firm.

Acquisitions of this size are not made without detailed analysis and extensive planning. Thoma Bravo has a great track record of buying and selling companies. They are in the money-making business. An example in this industry is Thoma Bravo’s acquisition of Entrust and eventual sale of Entrust to Datacard. While it is only speculation on my part, I can’t help but wonder what Thoma Bravo’s strategy may be. What’s next is anyone’s guess at this point.

What Happens Now with Google and Mozilla?

Nothing changes for Symantec certificates and the planned timeline of distrust established by Google and Mozilla. More than a million Symantec SSL Certificates and domains must be re-vetted by a much smaller Certificate Authority, potentially causing disruption to Symantec SSL customer websites, users and services.

DECEMBER 1, 2017: 

• According to Symantec, the new managed partner infrastructure will at this point be capable of full issuance. Any certificates issued by Symantec’s old infrastructure after this point will cease working in a future Chrome update.
• From this date forward, site operators can obtain TLS Server Certificates from the new managed partner infrastructure that will continue to be trusted after Chrome 70 (~October 23, 2018).
• December 1, 2017 does not mandate any certificate changes, but represents an opportunity for site operators to obtain TLS Server Certificates that will not be affected by Chrome 70’s distrust of the old infrastructure.

March 15, 2018

• Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date before June 1, 2016. As of this date, in order to ensure continuity of operations, site operators must be using either a Symantec-issued TLS Server Certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.
• Site operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.

APRIL 17, 2018 (Chrome 66 release):

• Chrome will distrust certificates issued by Symantec before 1 June 2016.

SEPTEMBER 13, 2018: 

• Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted infrastructure. This will not affect any certificate issued by the new Managed CA(s), which Symantec has said will be operational by December 1, 2017.
• Only TLS Server Certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.

OCTOBER 23, 2018 (Chrome 70 Release):

• Chrome will distrust ALL certificates issued by Symantec's old infrastructure, including those issued after 1 June 2016

Who Does This Impact?

Seems like Symantec has the most to gain. They shed a troubled business unit and outdated CA platform that was weighing heavily on its reputation. In doing so, they recovered nearly all of the costs of the original VeriSign acquisition and saw a quick bump in their stock price following the DigiCert acquisition. This was a shrewd business move for Symantec.

For Symantec customers and partners caught in the Google/Mozilla browser distrust issue, nothing is clear here and they still need to go through the distrust timeline that Google and Mozilla have set. Now, they will need to rely on a new and much smaller certificate vendor, DigiCert, to help them through this. The problem is that the signatures on the acquisition agreement are still wet. The deal still needs to technically close, hundreds of Symantec employees may need to officially join DigiCert and infrastructure, systems and processes need to be integrated. A lot of work needs to be done in a short timeframe to ensure the business operations of Symantec SSL Certificate customers and partners are not interrupted.

I am sure existing DigiCert customers and partners have questions too. Can DigiCert support its current customers and partners at the level they have come to expect with all of these distractions going on?

The influx of Symantec customers, consisting of thousands of enterprise customers with hundreds of thousands of domains, could lead to operational overload as DigiCert tries to re-verify all previously-vetted Symantec domains. This could result in delayed responses from support, longer certificate vetting periods with potential delays in issuance and less attention than they are used to in general. Existing DigiCert customers may also face changes in product and service offerings as the company integrates the four Symantec brands.

What Choices Do You Have Today?

Let me say that we (GlobalSign) have the utmost respect for DigiCert. While we are competitors, we still work very closely with one another within the CA/Browser Forum and CA Security Council on defining best practices, standards and regulations for the CA industry.

So as Symantec customers and partners, you essentially have two choices; trust that the acquisition can work and that DigiCert has you in their best interests, or consider switching to another CA vendor now.

Here’s my GlobalSign pitch. GlobalSign is a global leading CA that is built to support the enterprise. Our highly scalable Managed PKI platform fully automates certificate issuance to any enterprise endpoints (see the details here), manages the complete certificate lifecycle and easily integrates into your IT and business processes.

In using our platform, we will not only enable you to solve your SSL/TLS needs, but also provide you the ability to offer client certificates to address other uses cases such as user and device authentication, secure email (S/MIME), mobile device security and high-volume document signing – all from ONE single platform. And, we don’t just stop there. We have built this platform for IoT scalability. No other CA can match the volume and velocity that we offer – over 3,000 certificates per second.

We welcome you give us a try and have an aggressive SSL switch campaign to get you started today. We offer great pricing and additional discounts for switching that can include 30% off, time remaining on your existing SSL Certificates will be added to your new GlobalSign certificates and 30 additional days of validity – up to 27 months max.

If you think switching CAs will be difficult, we make it very easy. Our dedicated, local language account managers and support teams can walk you through four simple steps to make the switch to GlobalSign.

We’re here to help you. Contact us today.