How To Verify That Your Server Meets PayPal SSL Requirements

Posted on May 23, 2016 by dpepper

Category: Technical Support | Tags: g5, paypal, SSL, Verisign

Reading Time: < 1 minute

As part of an industry-wide effort to adopt strict security standards, PayPal is upgrading the SSL certificates it uses to secure its sites and API endpoints. By June 17, 2016, SSL certificates will need to be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Certificate.

At that time, PayPal’s service will discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

You can easily determine whether your server supports this new standard by logging into your server via SSH and running a single command:

openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts | egrep -wi "G5|return"

If your server complies with the requirements, you will see a result similar to the following:

i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. – For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority – G5
Verify return code: 0 (ok)

In that output, you will want to note the presence of two specific items:

A Certification Authority containing “G5”. Note that you may see several CA lines in your output; as long as G5 is included, your server is compliant.
A Verify return code of “0 (ok)”.

If both are present, your server is compliant and no further action needs to be taken.

If neither is present, then your server will need to have the G5 certificate bundle installed. All Managed customers may feel free to contact Heroic Support® to have it installed.

NOTE: CentOS 5 (and earlier) is not capable of supporting the new standard. If your server runs CentOS 5 (or earlier), it will need to be upgraded. A member of Heroic Support® will be able to assist.