DigiCert

Last updated

DigiCert, Inc.
Company type Private company
Industry Internet security, Public key infrastructure, IoT security
Founded2003;21 years ago (2003)
Headquarters
Lehi, Utah, U.S.
Number of locations
12
Area served
Worldwide
Key people
Number of employees
1,000+
Subsidiaries CyberTrust
GeoTrust
QuoVadis
RapidSSL
Thawte
Mocana
DNS Made Easy
Website www.digicert.com

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. [1] DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates, acting as a certificate authority (CA) and trusted third party.

Contents

History

Example of a DigiCert issued wildcard certificate for *.wikipedia.org Firefox 89 AboutCertificate screenshot.png
Example of a DigiCert issued wildcard certificate for *.wikipedia.org

DigiCert was founded by Ken Bretschneider in 2003 and sold in 2012. [2] [3] [4] Bretschneider stepped down from the position of CEO to retain business strategy oversight as executive board chairman while Nicholas Hales became CEO. [5] [6] In 2016, the company named John Merrill CEO, [7] who left the company in 2022. [8]

In 2005, DigiCert became a founding member of the CA/Browser Forum. [9]

In 2007, DigiCert partnered with Microsoft to develop the industry's first multi-domain (SAN) certificate. [10]

In 2015, DigiCert acquired the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions, becoming the world's second-largest certificate authority for high-assurance or extended validation (EV) TLS/SSL certificates. [11]

On August 28, 2015, private equity firm Thoma Bravo acquired a majority stake in DigiCert, with TA Associates holding a minority share. [12]

In 2017, DigiCert acquired the TLS/SSL and PKI businesses from Symantec, including brands GeoTrust, Rapid SSL (part of GeoTrust), Thawte and Verisign [13] The acquisition resulted from questions first raised in 2015 by web browsers Google and Mozilla about the authenticity of certificates issued by Symantec, which represented one-third of all TLS/SSL certificates on the web. [14] [15] In September 2017, Google and Mozilla announced they would "reduce, and ultimately remove, trust in Symantec's Root Keys in order to uphold user's security and privacy when browsing the web".

The final distrust deadline for certificates chaining to Symantec roots was set for October 2018. [16] Symantec agreed to transfer its certificate business to its top TLS/SSL competitor, DigiCert, whose roots were trusted by browsers. [17] In December 2017, DigiCert began issuing free replacements for all distrusted certificates from Symantec, GeoTrust, RapidSSL, Thawte, and VeriSign. By Oct. 2018, the company had revalidated more than 550,000 organizational identities and issued more than 5 million replacement certificates for affected customers. [18]

In 2018, DigiCert acquired QuoVadis, a trust service provider (TSP) headquartered in Switzerland offering qualified digital certificates, PKI services, and PrimoSign electronic signature software. [19] Qualified digital certificates from QuoVadis (now backed by DigiCert) comply with eIDAS, a set of EU standards for electronic transactions requiring legal proof of authentication. The EU Payment Services Directive mandated that banks and other financial institutions operating in Europe begin using qualified digital certificates by Jun. 2019. According to DigiCert, "the QuoVadis acquisition aligns with the company's vision of providing globally dispersed and robust PKI-based solutions with local support." [20]

In 2019, the company announced a new R&D division called DigiCert Labs, "an initiative dedicated to researching and developing innovative approaches to security challenges". [21] DigiCert Labs will collaborate with other enterprise labs – including Microsoft Research, Utimaco, ISARA, and Gemalto – and make grants to universities for the study of topics related to authentication, data integrity, encryption and identity. Initial research projects will focus on post-quantum cryptography and machine learning. [22] In 2019, DigiCert also launched the first post-quantum computing tool kit. [23]

In 2019, Clearlake Capital Group, L.P., a leading private investment firm, and TA Associates, an existing investor, reached an agreement to make a strategic growth investment in DigiCert. As part of the transaction, Clearlake, and TA Associates become equal partners in the company. [24] [25]

In January 2022, DigiCert acquired IoT security company Mocana. [26] In June 2022, the company acquired DNS Made Easy, a DNS services provider. [27]

On October 19, 2022, DigiCert named Dr. Amit Sinha as CEO and board member. [8] Amit had previously led technology and innovation at the cloud security company Zscaler the previous 12 years.

Industry Involvement

DigiCert is involved in industry and regulatory groups and projects, [28] [29] [30] such as:

Criticism

DigiCert Inc. is not related to Digicert Sdn. Bhd, a Malaysian-based certification authority that issues certificates with weak keys and had its trust revoked by web browsers. [42] [43] [44]

DigiCert faced criticism during its 2017 acquisition of Symantec's certificate business. The acquisition was prompted by concerns from major web browsers about the authenticity of certificates issued by Symantec, leading to a reduction in trust for Symantec's root keys. DigiCert moved Symantec customers to its platform while maintaining the validity of existing certificates during the transition. [45]

In 2019, Google security researcher Scott Helme found approximately a million dollars worth of extended verification certificates that needed to be revoked due to faulty data, a significant portion of which were DigiCert certificates. [46] [47]

In 2022, DigiCert was condemned by Scott Helme for pushing [48] QWAC scheme of certificate similar to EV certificates that undermined trust in certificates. [49] [50] [51]

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">Root certificate</span> Certificate identifying a root authority

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string. For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign, Inc. is an American company based in Reston, Virginia, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc country-code top-level domains, and the back-end systems for the .jobs and .edu sponsored top-level domains.

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium, to become one of the largest information security firms in the world. It was acquired by Verizon Business in 2007. In 2015, the CyberTrust root certificates were acquired by DigiCert, Inc., a leading global Certificate Authority (CA) and provider of trusted identity and authentication services.

Thawte Consulting is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter's APIs.

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to use the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, China, that had three main activities: StartCom Enterprise Linux, StartSSL and MediaHost. StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain. Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016 and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.

DigiNotar was a Dutch certificate authority, established in 1998 and acquired in January 2011 by VASCO Data Security International, Inc. The company was hacked in June 2011 and it issued hundreds of fake certificates, some of which were used for man-in-the-middle attacks on Iranian Gmail users. The company was declared bankrupt in September 2011.

<span class="mw-page-title-main">Certificate Authority Security Council</span> Organization

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates. When an internet user interacts with a website, a trusted third party is needed for assurance that the website is legitimate and that the website's encryption key is valid. This third party, called a certificate authority (CA), will issue a certificate for the website that the user's browser can validate. The security of encrypted internet traffic depends on the trust that certificates are only given out by the certificate authority and that the certificate authority has not been compromised.

Trustico is a dedicated SSL certificate provider, They are headquartered in the United Kingdom.

References

  1. Harvey, Tom (August 3, 2017). "Utah-Based Digicert Paying Nearly $1 Billion to Acquire Symantec's Website Security Offerings". Salt Lake Tribune . Archived from the original on August 11, 2017.
  2. Metz, Rachel (December 15, 2015). "Inside the First VR Theme Park". MIT Technology Review . Archived from the original on August 12, 2020.
  3. Barnes, Brooks (February 19, 2017). "With New Invention, Virtual Reality's Potential for Magic Gets Real". The New York Times . Archived from the original on February 20, 2017.
  4. "Utah's DigiCert reorganizes its management". Salt Lake Tribune . April 17, 2012. Archived from the original on November 7, 2023.
  5. "Digicert Promotes Their COO, LogLogic is Acquire, and More Company News". SC World. July 2, 2012.
  6. "Utah's DigiCert Reorganizes Its Management". The Salt Lake Tribune . April 17, 2012. Archived from the original on August 3, 2017.
  7. “DigiCert names CEO”. Daily Herald. Retrieved 2019-02-28.
  8. 1 2 "DigiCert Appoints Industry Veteran Amit Sinha as Chief Executive Officer" (Press release). DigiCert / PR Newswire. October 19, 2022. Archived from the original on September 18, 2024.
  9. 1 2 "Members". CAB Forum. August 31, 2013. Retrieved January 27, 2023.
  10. "DigiCert Fact Sheet" (PDF). digicert.com.[ citation needed ]
  11. “DigiCert Acquires Verizon Enterprise SSL Business”. DigiCert.com. Retrieved 2019-03-01.
  12. Kerner, Sean Michael (August 28, 2015). "Thoma Bravo Invests in Security Firm DigiCert". eWeek .
  13. Raymond, Art (August 3, 2017). "Lehi's DigiCert swallows web security competitor in $1 billion deal". Deseret News . Archived from the original on August 4, 2017. Retrieved May 21, 2020.
  14. Sharwood, Simon (August 3, 2017). "Symantec offloads its certs and web security biz to DigiCert". The Register . Archived from the original on August 12, 2020.
  15. Constantin, Lucian (March 24, 2017). "To punish Symantec, Google may distrust a third of the web's SSL certificates". PC World . Archived from the original on October 22, 2021.
  16. “Chrome’s Plan to Distrust Symantec Certificates”. Google . Retrieved 2019-03-05.
  17. "DigiCert Closes Acquisition of Symantec's Website SSL Security Unit". eWeek . Retrieved 2019-03-11.
  18. "DigiCert works with its customers and partners to successfully move past Google's distrust of Symantec TLS certificates". PR Newswire (Press release). Retrieved March 1, 2019.
  19. Kent, Jonathan (October 31, 2018). "QuoVadis to be sold to US firm DigiCert". www.royalgazette.com. Retrieved August 24, 2022.
  20. Barker, Sara. “DigiCert’s QuoVadis acquisition extends PKI expertise in Europe”. SecurityBrief EMEA. Retrieved 2019-03-05.
  21. “DigiCert Labs to innovate new security technologies that address emerging threats through collaboration with academic and industry research”. PR Newswire . Retrieved 2019-02-28.
  22. Barker, Sara. “DigiCert Labs to research postquantum cryptography and ML”. SecurityBrief EMEA. Retrieved 2019-02-28.
  23. "DigiCert Announces Post-Quantum Computing Tool Kit | DigiCert.com". www.digicert.com. Retrieved January 27, 2023.
  24. "News | TA". TA Associates. Retrieved July 16, 2019.
  25. "CLEARLAKE CAPITAL GROUP AND TA ASSOCIATES TO MAKE A STRATEGIC GROWTH INVESTMENT IN DIGICERT". Clearlake Capital. July 9, 2019. Retrieved July 16, 2019.
  26. Sawers, Paul (January 13, 2022). "DigiCert acquires Mocana to bolster IoT security". VentureBeat. Retrieved January 27, 2022.
  27. Graham, Patrick (June 9, 2022). "DigiCert Acquires DNS Made Easy". Mergers & Acquisitions. Archived from the original on September 18, 2024. Retrieved August 24, 2022.
  28. "Industry Partnerships | DigiCert.com". www.digicert.com. Retrieved June 6, 2023.
  29. "DigiCert Company Culture". www.digicert.com. Retrieved June 6, 2023.
  30. News, Industry (May 22, 2020). "DigiCert named 2020 Global Company of the Year in TLS certificate market by Frost & Sullivan". Help Net Security. Retrieved June 6, 2023.{{cite web}}: |last= has generic name (help)
  31. ThePKIGuy (May 19, 2020). "The PKI Guy talks standards with Dean Coclin, chair of the ASC X9 PKI study group". PKI Solutions LLC. Retrieved June 6, 2023.
  32. Frazier, Ambria (December 4, 2019). "ASC X9 Revives PKI Working Group To Address New Public Key Infrastructure Needs". Accredited Standards Committee X9. Retrieved June 6, 2023.
  33. "DigiCert selected to provide Root CA for AeroMACS". Datacentre Solutions. March 8, 2018. Retrieved June 6, 2023.
  34. "Corporate Members". Anti-Phishing Working Group . Archived from the original on September 17, 2024. Retrieved June 6, 2023.
  35. "DigiCert Root CA First Approved for Matter Device Attestation by Connectivity Standards Alliance | DigiCert". www.digicert.com. Retrieved June 6, 2023.
  36. https://www.digicert.com/content/dam/digicert/pdfs/ci-plus-tv-case-study.pdf [ bare URL PDF ]
  37. kgwynn. "Member List". DirectTrust. Retrieved June 6, 2023.
  38. "DigiCert and Eonti Selected by the Western Canadian NG9-1-1 Network Operator to Secure the Next Generation 9-1-1 Systems" (Press release). PR Newswire. June 22, 2022. Archived from the original on June 22, 2022.
  39. DigiCert. "DigiCert Joins NIST Consortium on Effective TLS Server Certificate Management". DigiCert. Retrieved June 6, 2023.
  40. "NCCoE Announces Technology Collaborators for the Migration to Post-Quantum Cryptography Project" (Press release). National Institute of Standards and Technology. July 15, 2022. Archived from the original on September 27, 2024.
  41. "SAE International Hires World-Class Contractor Team for EV Charging Public Key Infrastructure Cooperative Research Project" (Press release). SAE International. February 9, 2021. Archived from the original on June 6, 2023.
  42. "SSL Certificate Support - Entrust, Inc". Entrust.net. Archived from the original on June 29, 2015. Retrieved December 25, 2015.
  43. Revoking Trust in DigiCert Sdn. Bhd Intermediate Certificate Authority, Mozilla. "DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla's root program."
  44. Microsoft Security Advisory (2641690) "DigiCert Sdn. Bhd is not affiliated with the corporation DigiCert, Inc., which is a member of the Microsoft Root Certificate Program."
  45. Duckett, Chris (August 2, 2017). "Symantec to Get Almost $1B Plus Stock in Certificate Business Sale". ZDNet . Archived from the original on August 4, 2017.
  46. Aas, Josh; Barnes, Richard; Case, Benton; Durumeric, Zakir; Eckersley, Peter; Flores-López, Alan; Halderman, J. Alex; Hoffman-Andrews, Jacob; Kasten, James; Rescorla, Eric; Schoen, Seth; Warren, Brad (November 6, 2019). "Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web" (PDF). Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. pp. 2473–2487. doi:10.1145/3319535.3363192. ISBN   978-1-4503-6747-9.
  47. Helme, Scott (September 11, 2019). "Extended Validation not so... extended? How I revoked $1,000,000 worth of EV certificates!". Archived from the original on September 11, 2019. Retrieved March 24, 2022.
  48. Helme, Scott (January 4, 2022). "If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate" . Retrieved March 24, 2022.
  49. "Mozilla and the EFF publish letter about the danger of Article 45.2 | The Mozilla Blog". blog.mozilla.org. Retrieved March 24, 2022.
  50. "Experts urge EU not to force insecure certificates in web browsers". BleepingComputer. Retrieved March 24, 2022.
  51. Callas, Alexis Hancock and Jon (February 9, 2022). "What the Duck? Why an EU Proposal to Require "QWACs" Will Hurt Internet Security". Electronic Frontier Foundation. Retrieved March 24, 2022.