PayPal’s existing API certificate credentials are 1024-bit, SHA-1 certificates that expire after 10 years. Starting on February 4, 2016, all PayPal API certificate credentials issued will be 2048-bit, SHA-256 certificates that expire every 3 years. As a result, we are requiring all merchants to upgrade to the new 2048-bit certificates between now and September 2018.
To avoid any disruption of service, you must verify that your systems are ready for this change by September 2018.
PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades before the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. To help merchants understand the areas of their integration that still require work, in March we will conduct brief rounds of testing to demonstrate the upgraded security experience. A complete list of testing dates and times are available on the Merchant Security Upgrade Testing Microsite.
Verify your certificate type
The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:
If you have the API certificate file that you downloaded from PayPal, you can also use OpenSSL to see if it is the new type of certificate:
openssl x509 -text -noout -in cert_key_pem.txt
Replace your old API certificate before September 2018
You can find additional details on renewing your API certificate credentials here:
Why is PayPal changing the API certificate credentials?
Payment industry standards have moved to more secure 2048-bit certificates, and certificate issuing authorities will stop issuing 1024-bit certificates in 2017.
Is the Root CA Certificate that is used to sign the API certificate credentials available?
Yes. The certificates issued as API credentials are signed by PayPal. If your systems require the Root CA Certificate for trust validation, contact your PayPal representative
For more help, go to https://www.paypal-techsupport.com.