Merchant API Certificate Credentials Upgrade

The API certificate credentials issued by PayPal for use with the Classic API are being upgraded to SHA-256 signed 2048-bit certificates. If you currently connect to PayPal using API certificate credentials, you will need to generate a new API certificate via your account profile and use it for all API requests.

Merchant Security Roadmap

The information that follows is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your e-commerce software provider
  • Your in-house web programmer/system administrator

In a Nutshell...

PayPal’s existing API certificate credentials are 1024-bit, SHA-1 certificates that expire after 10 years. Starting on February 4, 2016, all PayPal API certificate credentials issued will be 2048-bit, SHA-256 certificates that expire every 3 years. As a result, we are requiring all merchants to upgrade to the new 2048-bit certificates between now and September 2018.

To avoid any disruption of service, you must verify that your systems are ready for this change by September 2018.

What do I need to do?

Flow chart

Technical Details

Verify your certificate type

The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:

  1. Log in to your PayPal account.
  2. Go to Profile > My selling tools > API access > View API Certificate.
  3. For your current API certificate:
    • If the Expiration date is three (3) years after the Request Date, you have the new type and are good to go.
    • If the Expiration date is ten (10) years after the Request Date, you need to replace it before September 2018.

If you have the API certificate file that you downloaded from PayPal, you can also use OpenSSL to see if it is the new type of certificate:

openssl x509 -text -noout -in cert_key_pem.txt

Replace your old API certificate before September 2018

  1. Log in to your PayPal account.
  2. Go to Profile > My selling tools > API access > View API Certificate.
  3. Click the Renew Certificate button next to the Expiration date.
    • This button will create a second API certificate.
    • Both certificates can be used at the same time, which will allow you to update your systems with minimal down time.

You can find additional details on renewing your API certificate credentials here:

Renewing your API Certificate

FAQs

Why is PayPal changing the API certificate credentials?

Payment industry standards have moved to more secure 2048-bit certificates, and certificate issuing authorities will stop issuing 1024-bit certificates in 2017.

Is the Root CA Certificate that is used to sign the API certificate credentials available?

Yes. The certificates issued as API credentials are signed by PayPal. If your systems require the Root CA Certificate for trust validation, contact your PayPal representative.

UPDATE

PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades prior to the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. In early 2018, we will conduct brief rounds of testing which will emulate the upgraded security experience so that merchants can understand the areas of their integration that still require work. Dates for these tests and full deployment will be published on this site at least two weeks prior to implementation.