All major browser vendors, including Google, Apple and Firefox, plan to distrust legacy SSL/TLS certificates issued under the Symantec infrastructure. PayPal supports this change, and is upgrading the certificates used to secure our web sites and API endpoints. PayPal merchants may need to update their integration to ensure the following DigiCert root certificates are trust anchors for PayPal endpoints:
NOTE: Most customers will not be impacted by these changes. These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and APIs.
NOTE: The clearest way to determine whether your system supports these requirements is to have a web developer or system administrator run a test of your integration using the PayPal Sandbox. A failure in testing with the Sandbox indicates you should review all the following information and upgrade your system’s environment.
Sandbox Endpoints - Ready Now
The PayPal Sandbox endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards before the Production endpoints are updated. These endpoints have been upgraded to certificates signed with the new DigiCert roots:
Production Endpoints - Coming Soon
The following Production endpoints will be upgraded to certificates signed with the new DigiCert roots:
NOTE: If you’re using www.paypal.com for Instant Payment Notification (IPN) processing, be sure to install the DigiCert High Assurance EV Root CA in addition to the DigiCert Global Root G2 for API connections.
Details on DigiCert Global Root G2
Details on DigiCert High Assurance EV Root CA
Where can I find out more about these changes?
Do I need to remove the Symantec G5 root certificate before installing the DigiCert certificates?
No, we recommend you retain the Symantec G5 root certificate until all PayPal production sites have updated their certificates.
Where can I get the PayPal leaf certificates signed by the DigiCert root certificates?
PayPal leaf certificates are available for the Live and Sandbox environments. These certificates are for use with legacy implementations ONLY. Do NOT download or install them unless your integration requires an X.509 leaf certificate in your trust store.