1. What are the changes in PayPal side?
PayPal is implementing following changes to their service.
I. Discontinue use of the VeriSign G2 Root Certificate
In accordance with industry standards, PayPal will no longer accept secure connections to the API/IPN endpoints that are expecting PayPal certificate/trust chain to be signed by the G2 Root Certificate. Only secure connection requests that are expecting PayPal certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
II. Update to the SHA-256 signing algorithm
PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256
2. What should be done to continue to use PayPal?
I. Server need "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate
In CentOS server, CA certificate is stored in /etc/pki/tls/certs/ca-bundle.crt file.
Presence of "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate can be verified using following comand in CentOS.
======================================================
grep -C 5 --color=always "VeriSign Class 3 Public Primary Certification Authority - G5" /etc/pki/tls/certs/ca-bundle.crt
======================================================
Example:
======================================================
bash-4.1# grep -C 5 --color=always "VeriSign Class 3 Public Primary Certification Authority - G5" /etc/pki/tls/certs/ca-bundle.crt
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
======================================================
Any server with a modern Operating System which is frequently updated should already have "VeriSign Class 3 Public Primary Certification Authority - G5" CA certificate. If it is not present in a server, it can be installed as shown below.
A. CentOS 5: Run following command
yum update -y openssl
B. CentOS 6: Run following command
yum update -y ca-certificates openssl
C. Windows: Install all windows updates
CA certificates are provided by windows updates in Windows
II. Server should support SHA-256 SSL signing algorithm
Any server with a modern Operating System which is frequently updated should already support "SHA-256 SSL signing algorithm". If it is not present in a server, it can be enabled as shown below.
A. CentOS 5: Run following command
yum update -y openssl
B. CentOS 6: Run following command
yum update -y openssl
C. Windows: Install all windows updates
SSL features are provided by windows updates in Windows
III. Website SSL certifciate should be SHA-2(SHA-256) signed
It is important to ensure that website is using SHA-2(SHA-256) signed SSL certificate.
Steps to check whether a website is using SHA-2(SHA-256) signed SSL certificate
(a). Access your website in Google Chrome via HTTPS.
Note: We used https://control.bytehouse.co.uk in this example.
(b). Click the "Pad Lock" icon
(c). Now, click "Connection"
(d). Now, click "Certificate Information".
(e). Now, click "Details".
(f). Now, check the field "Signature hash algorithm"
If you see "Signature hash algorithm" as "sha256", everything is fine.
If you do NOT see "Signature hash algorithm" as "sha256", there is a problem, please contact Bytehouse Technical Suport to resolve the issue.