Comodo® CA Sold To Private Equity Firm

Francisco Partners has installed a new CEO and chair in the deal for an undisclosed sum. At the same time, DigiCert® completed its billion-dollar purchase of Symantec's former certificate business.

The Certificate Authority (CA) Business Of Comodo® Has Seen Its Majority Share Sold To Francisco Partners For An Undisclosed Amount

As part of the deal, Comodo® CA will have former Entrust COO and Expedia CIO Bill Holtz installed as CEO, alongside new chair Bill Connor, who currently serves as president and CEO of SonicWall and was previously CEO of Entrust.

Sonicwall was spun out of Dell Technologies in November last year, and remains controlled by Francisco Partners and hedge fund Elliott Management after the pair picked up Dell Software Group for over $2 billion.

"The alignment of the Comodo® CA acquisition with the current market demand for trusted certificates and certificate lifecycle management signals a monumental opportunity for all parties," Holtz said. "The need to responsibly provide the required verification, oversight, and operational management to encrypt network traffic and identify websites will only grow."

"Trusted digital certificates will remain a fundamental requirement of today's network security infrastructure for ecommerce and new evolving IoT networks. Francisco Partners has a sound, smart, and aggressive strategy for Comodo® CA."

Comodo® Group founder, CEO, and president Melih Abdulhayoglu will retain a minority ownership stake, and remain as a board observer.

"Comodo® CA was the first business of the Comodo® brand, which has since then expanded into many other areas of security," Abdulhayoglu said. "However, now is the time to focus attention on the CA business given the significant opportunity in the market. This next chapter for both Comodo® CA and Francisco Partners will positively impact the digital certificate market, and accelerate the company's business objectives."

Francisco Partners said Comodo® had issued 55 million certificates this year, the highest number in the market, and has seen double-digit growth for "several years".

At the same time, DigiCert® completed its billion-dollar purchase of Symantec's former certificate business.

Announced in August, the transaction saw Symantec® gain $950 million in cash, which it has flagged for debt repayments, alongside a 30 percent stake in DigiCert®.

The transaction followed months of discussion between Google, Mozilla, and Symantec® around how to begin a process of distrust in its TLS certificates.

Today, DigiCert® claimed Symantec® customers had a "clear path forward" to maintain trust in their certificates, with the company planning to replace distrusted certificates for free.

Mozilla said this week it would adopt a wait-and-see approach to how the new DigiCert® business operated, and is hoping the new entity would not simply be Symantec® by another name.

"We would be concerned if the combined company continued to operate significant pieces of Symantec's old infrastructure as part of their day-to-day issuance of publicly trusted certificates," Gervase Markham and Kathleen Wilson of Mozilla wrote.

"We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec® were the controlling CA organisation in the merger."

The pair said there are no changes to plan to distrust the former Symantec® certificates.

"It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A and continuing operations under that CA's name, essentially unchanged," they said.

"And examination of historical corporate merger and acquisition activity, including deals involving Symantec®, show that it's possible for an M&A billed as the 'purchase of B by A' to end up with name A and yet be mostly managed by the executives of B."

In July, security researcher Hanno Böck forged incorrect private keys to test if Symantec® would revoke his legitimate certificate, and, sure enough, they did.

"No harm was done here, because the certificate was only issued for my own test domain. But I could've also fake private keys of other peoples' [sic] certificates. Very likely Symantec® would have revoked them as well, causing downtimes for those sites," Böck wrote. "I even could've easily created a fake key belonging to Symantec's own certificate."

Böck also tested Comodo®, which correctly decided not to revoke his certificate.