PayPal’s existing API certificate credentials are 1024-bit, SHA-1 certificates that expire after 10 years. Starting on February 4, 2016, all PayPal API certificate credentials issued will be 2048-bit, SHA-256 certificates that expire every 3 years. As a result, we are requiring all merchants to upgrade to the new 2048-bit certificates between now and September 2018.
To avoid any disruption of service, you must verify that your systems are ready for this change by September 2018.
Verify your certificate type
The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:
openssl x509 -text -noout -in cert_key_pem.txt
Replace your old API certificate before September 2018
You can find additional details on renewing your API certificate credentials here:
Why is PayPal changing the API certificate credentials?
Payment industry standards have moved to more secure 2048-bit certificates, and certificate issuing authorities stopped issuing 1024-bit certificates in 2017.
Is the Root CA Certificate that is used to sign the API certificate credentials available?
Yes. The certificates issued as API credentials are signed by PayPal. If your systems require the Root CA Certificate for trust validation, contact your PayPal representative
For more help, go to https://www.paypal-techsupport.com.