paypal logo

PayPal’s existing API certificate credentials are 1024-bit, SHA-1 certificates that expire after 10 years. Starting on February 4, 2016, all PayPal API certificate credentials issued will be 2048-bit, SHA-256 certificates that expire every 3 years. As a result, we are requiring all merchants to upgrade to the new 2048-bit certificates between now and January 1, 2018.

To avoid any disruption of service, you must verify that your systems
are ready for this change by January 1, 2018.

Verify your certificate type

The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:

  1. Log in to your PayPal account.
  2. Select Profile > Profile and Settings > My Selling Tools.
  3. Click Update next to API Access.
    Note: Alternatively, you can access your PayPal APIs at www.paypal.com/api.
  4. Select Manage API Credentials > View API Certificate.
  5. For your current API certificate:
    • If the Expiration date is three (3) years after the Request Date, you have the new type and are good to go.
    • If the Expiration date is ten (10) years after the Request Date, you need to replace it before January 1, 2018.

If you have the API certificate file that you downloaded from PayPal, you can also use OpenSSL to see if it is the new type of certificate:

openssl x509 -text -noout -in cert_key_pem.txt​​​

Replace your old API certificate before January 1, 2018

  1. Log in to your PayPal account.
  2. Select Profile > Profile and Settings > My Selling Tools.
  3. Click Update next to API Access.
    Note: Alternatively, you can access your PayPal APIs at www.paypal.com/api.
  4. Select Manage API Credentials > View API Certificate.
  5. Click the Renew Certificate button next to the Expiration date.
    • This button will create a second API certificate.
    • Both certificates can be used at the same time, which will allow you to update your systems with minimal downtime.

You can find additional details on renewing your API certificate credentials here:​

Why is PayPal changing the API certificate credentials?
Payment industry standards have moved to more secure 2048-bit certificates, and certificate issuing authorities will stop issuing 1024-bit certificates in 2017.

Is the Root CA Certificate that is used to sign the API certificate credentials available?
Yes. The certificates issued as API credentials are signed by PayPal. If your systems require the Root CA Certificate for trust validation, contact your PayPal representative

For more help, go to https://www.paypal-techsupport.com.


Rating: