Comodo CA sold to private equity as DigiCert completes Symantec CA purchase

Francisco Partners has installed a new CEO and chair in the deal for an undisclosed sum.
Written by Chris Duckett, Contributor

The certificate authority (CA) business of Comodo has seen its majority share sold to Francisco Partners for an undisclosed amount.

As part of the deal, Comodo CA will have former Entrust COO and Expedia CIO Bill Holtz installed as CEO, alongside new chair Bill Connor, who currently serves as president and CEO of SonicWall and was previously CEO of Entrust.

Sonicwall was spun out of Dell Technologies in November last year, and remains controlled by Francisco Partners and hedge fund Elliott Management after the pair picked up Dell Software Group for over $2 billion.

"The alignment of the Comodo CA acquisition with the current market demand for trusted certificates and certificate lifecycle management signals a monumental opportunity for all parties," Holtz said. "The need to responsibly provide the required verification, oversight, and operational management to encrypt network traffic and identify websites will only grow."

"Trusted digital certificates will remain a fundamental requirement of today's network security infrastructure for ecommerce and new evolving IoT networks. Francisco Partners has a sound, smart, and aggressive strategy for Comodo CA."

Comodo Group founder, CEO, and president Melih Abdulhayoglu will retain a minority ownership stake, and remain as a board observer.

"Comodo CA was the first business of the Comodo brand, which has since then expanded into many other areas of security," Abdulhayoglu said. "However, now is the time to focus attention on the CA business given the significant opportunity in the market. This next chapter for both Comodo CA and Francisco Partners will positively impact the digital certificate market, and accelerate the company's business objectives."

Francisco Partners said Comodo had issued 55 million certificates this year, the highest number in the market, and has seen double-digit growth for "several years".

At the same time, DigiCert completed its billion-dollar purchase of Symantec's former certificate business.

Announced in August, the transaction saw Symantec gain $950 million in cash, which it has flagged for debt repayments, alongside a 30 percent stake in DigiCert.

The transaction followed months of discussion between Google, Mozilla, and Symantec around how to begin a process of distrust in its TLS certificates.

Today, DigiCert claimed Symantec customers had a "clear path forward" to maintain trust in their certificates, with the company planning to replace distrusted certificates for free.

Mozilla said this week it would adopt a wait-and-see approach to how the new DigiCert business operated, and is hoping the new entity would not simply be Symantec by another name.

"We would be concerned if the combined company continued to operate significant pieces of Symantec's old infrastructure as part of their day-to-day issuance of publicly trusted certificates," Gervase Markham and Kathleen Wilson of Mozilla wrote.

"We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec were the controlling CA organisation in the merger."

The pair said there are no changes to plan to distrust the former Symantec certificates.

"It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A and continuing operations under that CA's name, essentially unchanged," they said.

"And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it's possible for an M&A billed as the 'purchase of B by A' to end up with name A and yet be mostly managed by the executives of B."

In July, security researcher Hanno Böck forged incorrect private keys to test if Symantec would revoke his legitimate certificate, and, sure enough, they did.

"No harm was done here, because the certificate was only issued for my own test domain. But I could've also fake private keys of other peoples' [sic] certificates. Very likely Symantec would have revoked them as well, causing downtimes for those sites," Böck wrote. "I even could've easily created a fake key belonging to Symantec's own certificate."

Böck also tested Comodo, which correctly decided not to revoke his certificate.

Related Security Coverage

Software code signing certificates worth more than guns on the Dark Web

Digital code signing certificates are more expensive than credit cards or weapons.

Google: Chrome is backing away from public key pinning, and here's why

Google wrote the HTTP public key pinning standard but now considers the web security measure harmful.

Malware-laden apps in Google Play store mine cryptocurrency from mobile victims (TechRepublic)

Trend Micro recently detected malicious apps in the Google Play store that use JavaScript loading and native code injection to avoid being detected.

Video: Why 2017 was the year ransomware went mainstream (TechRepublic)

ZDNet's Danny Palmer explains why Bad Rabbit, WannaCry, NotPetya, and other strains of ransomware are so virulent.

Editorial standards