As part of an industry-wide effort to adopt strict security standards, PayPal is upgrading the SSL certificates it uses to secure its sites and API endpoints. By June 17, 2016, SSL certificates will need to be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Certificate.
At that time, PayPal’s service will discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.
You can easily determine whether your server supports this new standard by logging into your server via SSH and running a single command:
openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts | egrep -wi "G5|return"
If your server complies with the requirements, you will see a result similar to the following:
Verify return code: 0 (ok)
In that output, you will want to note the presence of two specific items:
- A Certification Authority containing “G5”. Note that you may see several CA lines in your output; as long as G5 is included, your server is compliant.
- A Verify return code of “0 (ok)”.
If both are present, your server is compliant and no further action needs to be taken.
If neither is present, then your server will need to have the G5 certificate bundle installed. All Managed customers may feel free to contact Heroic Support® to have it installed.