Symantec sells its CA business to DigiCert

Symantec is getting out of the digital certificate business. In a move that extricates it from an ongoing dispute with Google, Symantec has agreed to sell its CA business to DigiCert for $950-million dollars and a 30% ownership stake in the newly merged DigiCert/Symantec hydra.

The acquisition was made by Thoma Bravo, a buyout firm that also controls DigiCert.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” said Symantec CEO Greg Clark via press release. “I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions. Symantec is deeply committed to the success of this transition for our customers.”

Why did Symantec sell?

It would be apropos to say that Symantec was a motivated seller. The cybersecurity giant, which first entered the market with its acquisition of Verisign in 2010, has been butting heads with Google since 2015, after Chrome engineers discovered some mis-issued SSL certificates. A second mis-issuance event in 2016 led to greater scrutiny, which in turn led to more unfortunate discoveries (this time lack of oversight over regional authorities that were handing parts of validation).

So, earlier this year Google gave Symantec an ultimatum that basically amounted to “we are going to distrust all of the SSL certificates you issue until you fix your broken PKI.”

Whether or not Symantec’s PKI actually was broken is a matter of opinion. Google says that there were over 30,000 mis-issued SSL certificates. Symantec claims it was closer to 30. For the record, there has been zero evidence that any real-world harm was done as a result of the mis-issuances. In the end it didn’t matter though, Google has the right to police its browser however it wants and with well over 60% of the global browser market share, it has the power to force an issue.

Fixing its PKI was an untenable proposition in the time given so Symantec opted to sell its CA assets to Thoma Bravo and DigiCert.

What this means for Symantec customers

There’s good news and bad news as far as Symantec CA Brand customers are concerned – that includes customers of RapidSSL, GeoTrust and Thawte, too. The good news is that DigiCert will be taking over validation and issuance for all Symantec brands on or around December 1, 2017. After which point, business should continue largely as usual.

At least for the interim, DigiCert plans to keep selling both its own eponymous line and existing Symantec products, in addition to keeping its sub CAs active as well. This should ensure as little friction as possible as DigiCert migrates Symantec’s customers on to its own PKI.

However, the migration is going to require user action. That’s the bad news. Google will begin distrusting the first batch of Symantec CA brand SSL certificates next April, with the rest to be distrusted that October. That means that existing Symantec CA customers will to need to re-issue or renew their SSL certificate off DigiCert’s roots, lest they face harsh browser penalties when the existing certificates get distrusted.

Look for DigiCert to invest quite a lot of time and energy into communicating this message. After all, most people aren’t keeping close tabs on the SSL industry. Suffice it to say this is not something that you want to catch customers’ attention with at the last minute, or worse after the distrust. That would be bad for the SSL industry categorically, especially as Google and the rest of the browser vendors make their final push for universal HTTPS.

Update: DigiCert has rolled out its plan for the replacement of distrusted Symantec SSL certificates. Customers will incur no costs for the re-issue, but they will need to act quickly.

Any Symantec CA customer with an SSL certificate that was issued BEFORE June 1, 2016 has until March 15, 2018 to re-issue their SSL certificate. This coincides with the Beta release of Chrome 66.

Any Symantec CA customer with an SSL certificate that was issued AFTER June 1, 2016, but BEFORE December 1, 2017 have until September 13, 2018 to replace it.

If your Symantec CA SSL certificate was not issued by DigiCert, this likely affects you. For more information head over to DigiCert’s website.

Originally posted on Thu Aug 10, 2017