paypal logo

All major browser vendors, including Google, Apple and Firefox, plan to distrust legacy SSL/TLS certificates issued under the Symantec infrastructure. PayPal supports this change, and is upgrading the certificates used to secure our web sites and API endpoints. PayPal merchants may need to update their integration to ensure the following DigiCert root certificates are trust anchors for PayPal endpoints:

NOTE: Most customers will not be impacted by these changes. These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and APIs.

NOTE: The clearest way to determine whether your system supports these requirements is to have a web developer or system administrator run a test of your integration using the PayPal Sandbox. A failure in testing with the Sandbox indicates you should review all the following information and upgrade your system’s environment.

Sandbox Endpoints

You can use these endpoints to verify that your code supports the required standards before the Production endpoints are updated. These endpoints are being configured with the latest security standards signed with the new DigiCert roots:

Ready Now

Ready in October 2018

Production Endpoints

The following Production endpoints are being upgraded to certificates signed with the new DigiCert roots:

Ready Now

Ready in January 2019

Certificate Details

DigiCert Global Root G2

DigiCert High Assurance EV Root CA

Where can I find out more about these changes?

Do I need to remove the Symantec G5 root certificate before installing the DigiCert certificates?

No, we recommend you retain the Symantec G5 root certificate until all PayPal production sites have updated their certificates.

Where can I get the PayPal leaf certificates signed by the DigiCert root certificates?

PayPal leaf certificates are available for the LiveSandbox, and Payflow environments. These certificates are for use with legacy implementations ONLY. Do NOT download or install them unless your integration requires an X.509 leaf certificate in your trust store.