Is my server & website compatible with new SSL requirements of PayPal?


1. What are the changes in PayPal side?

PayPal is implementing following changes to their service.

 

I. Discontinue use of the VeriSign G2 Root Certificate

In accordance with industry standards, PayPal will no longer accept secure connections to the API/IPN endpoints that are expecting PayPal certificate/trust chain to be signed by the G2 Root Certificate. Only secure connection requests that are expecting PayPal certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

 

II. Update to the SHA-256 signing algorithm


PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256

 

2. What should be done to continue to use PayPal?

 

I. Server need "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate

In CentOS server, CA certificate is stored in /etc/pki/tls/certs/ca-bundle.crt file.

 

Presence of "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate can be verified using following comand in CentOS.

 

======================================================

grep -C 5  --color=always "VeriSign Class 3 Public Primary Certification Authority - G5" /etc/pki/tls/certs/ca-bundle.crt
======================================================



Example:

 

======================================================
bash-4.1# grep -C 5  --color=always "VeriSign Class 3 Public Primary Certification Authority - G5" /etc/pki/tls/certs/ca-bundle.crt
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Jul 16 23:59:59 2036 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
======================================================

Any server with a modern Operating System which is frequently updated should already have "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate. If it is not present in a server, it can be installed as shown below.

 

A. CentOS 5: Run following command

yum update -y openssl

 

B. CentOS 6: Run following command

yum update -y ca-certificates openssl


C. Windows: Install all windows updates

CA certificates are provided by windows updates in Windows

 

II. Server should support SHA-256 SSL signing algorithm


Any server with a modern Operating System which is frequently updated should already support "SHA-256 SSL signing algorithm". If it is not present in a server, it can be enabled as shown below.

 

A. CentOS 5: Run following command

yum update -y openssl

 

B. CentOS 6: Run following command

yum update -y openssl


C. Windows: Install all windows updates

SSL features are provided by windows updates in Windows

 

III. Website SSL certifciate should be SHA-2(SHA-256) signed

 

It is important to ensure that website is using SHA-2(SHA-256) signed SSL certificate.

 

Steps to check whether a website is using SHA-2(SHA-256) signed SSL certificate

 

(a). Access your website in Google Chrome via HTTPS.

Note: We used https://control.bytehouse.co.uk in this example.

 

(b). Click the "Pad Lock" icon

 

(c). Now, click "Connection"

 

(d). Now, click "Certificate Information".

 

(e). Now, click "Details".

 

(f). Now, check the field "Signature hash algorithm"

 

 

If you see "Signature hash algorithm" as "sha256", everything is fine.

 

If you do NOT see "Signature hash algorithm" as "sha256", there is a problem, please contact Bytehouse Technical Suport to resolve the issue.

 

 

 

Last update:
2015-10-01 10:18
Author:
Bytehouse Technical Support
Revision:
1.15
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.

Records in this category

Tags

top