SSL Certificate Upgrade

PayPal is in the process of upgrading the SSL certificates used to secure our web sites and API endpoints. These new certificates will be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Certificate.

You will need to ensure that your environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

Merchant Security Roadmap

The information that follows is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your e-commerce software provider
  • Your in-house web programmer/system administrator

In a Nutshell...

  1. Support SHA-256. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm. You will need to update your integration to support certificates using SHA-256.
  2. Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

NOTE: These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and Application Programming Interfaces (APIs).

This change is complete as of October 18, 2016

What do I need to do?

Flow chart
NOTE:
The clearest way to determine whether your system already supports the upcoming requirements is to have a web developer or system administrator run a test of your integration using the PayPal Sandbox. A failure in testing with the Sandbox indicates you should review all the following information and upgrade your system’s environment.

Technical Details

Sandbox Endpoints - Ready Now

The PayPal Sandbox endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the Production endpoints getting updated. These endpoints have been upgraded to the new SHA-256, 2048-bit certificates:

  • api.sandbox.paypal.com
  • api-3t.sandbox.paypal.com
  • api-aa.sandbox.paypal.com
  • api-aa-3t.sandbox.paypal.com
  • svcs.sandbox.paypal.com
  • pointofsale.sandbox.paypal.com
  • ipnpb.sandbox.paypal.com
  • www.sandbox.paypal.com

Production Endpoints - Ready Now

The following Production endpoints have been upgraded to the new SHA-256, 2048-bit certificates:

  • pointofsale.paypal.com
  • www.paypal.com
  • All Payflow endpoints
  • api.paypal.com
  • api-3t.paypal.com
  • api-aa.paypal.com
  • api-aa-3t.paypal.com
  • svcs.paypal.com
  • ipnpb.paypal.com
  • m.paypal.*
  • mobile.paypal.com
  • mobileclient.paypal.com
Merchant Security System Upgrade Guides

FAQs

What happened to SHA-1?

The decision to sunset SHA-1 was mandated by the CA/Browser Forum on October 16, 2014.

Can I update BOTH the G5 root and SHA-256 certificate at the same time?

Yes. First, confirm that the VeriSign G5 Root Certificate is in your keystore. If not, then download and add it. Next, update your SSL software to process SHA-256 certificates.

My systems require that certificates be installed in the keystore. Where can I get the new certificates that will be deployed by PayPal?

The new certificates that will be deployed later this year can be found here along with the current production certificates.

How do I know if my integration is affected?

We have made changes to the Sandbox environments prior to the upcoming Live changes, so you can verify your integration against the Sandbox.

If you see these or similar error messages in the Sandbox environment, you will need to update your integration before we make changes to our Live environment.

  • "Unable to find valid certification path to requested target"
  • "SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled"
  • "alert handshake failure"
  • "Problem with the SSL CA cert (path? access rights?)"

Do I need to update my SDK?

No, however, you may want to verify that you are using the latest version of your SDK. If not, follow the instructions provided to update your SDK. If you are not using a PayPal SDK, then you will need to contact your third-party provider for assistance.

Although an upgrade shouldn't be required for the certificate, an upgrade may be required for TLS 1.2. For details, see the TLS microsite.

What do I do if I encounter intermittent SSL handshake errors during the scheduled PayPal testing?

It is crucial that the appropriate changes to your integration be made immediately to avoid further interruption. Prior to requesting any permanent change you should build/test in the PayPal Sandbox or Payflow Pilot environment. Please refer to the Merchant Security System Upgrade Guide for more information.

How do I resend an IPN that failed in the POST back validation?

You can resend the IPN from your PayPal account. For detailed instructions, please see Resending IPN Messages at developer.paypal.com. Note: The IPN will not display as “Fail”, as those IPNs were successfully delivered to their server; however, they failed in the POST back to get the validation.

How do I test IPN in the Sandbox environment?

See IPN Testing at developer.paypal.com, and refer specifically to "Sandbox testing". For additional help, you can open a ticket on the PayPal Technical Support page. For the Product option, be sure to select "Security Changes (TLS/Certificate)", which is pinned at the top of the list.