PayPal’s existing API certificate credentials are 1024-bit, SHA-1 certificates that expire after 10 years. Starting on February 4, 2016, all PayPal API certificate credentials issued will be 2048-bit, SHA-256 certificates that expire every 3 years. As a result, we are requiring all merchants to upgrade to the new 2048-bit certificates between now and January 1, 2018.
To avoid any disruption of service, you must verify that your systems
are ready for this change by January 1, 2018.
Verify your certificate type
The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:
If you have the API certificate file that you downloaded from PayPal, you can also use OpenSSL to see if it is the new type of certificate:
openssl x509 -text -noout -in cert_key_pem.txt
Replace your old API certificate before January 1, 2018
You can find additional details on renewing your API certificate credentials here:
Why is PayPal changing the API certificate credentials?
Payment industry standards have moved to more secure 2048-bit certificates, and certificate issuing authorities will stop issuing 1024-bit certificates in 2017.
Is the Root CA Certificate that is used to sign the API certificate credentials available?
Yes. The certificates issued as API credentials are signed by PayPal. If your systems require the Root CA Certificate for trust validation, contact your PayPal representative
For more help, go to https://www.paypal-techsupport.com.