Remove Support of Verisign G5 Root Certificate

In a Nutshell...

In 2018, Google imposed a security mandate announcing distrust of all certificates issued by the old Symantec platform on Chrome. PayPal responded by replacing all of our end entity X.509 certificates, and continued to support the Verisign G5 root certificate to provide merchants ample time to update their integrations to ensure their environment supports connections to the Trusted DigiCert Root Certificates. In 2019, PayPal communicated plans to remove support of the Verisign G5 root certificate in 2020 to better align with industry standards. Due to upcoming cert expirations on our endpoints, PayPal is moving forward with this change.
 

What do I need to do?

PayPal merchants may need to update their integration to ensure the following DigiCert root certificates are trusted anchors for PayPal endpoints:
  • DigiCert High Assurance Extended Validation (EV) Root CA
  • DigiCert Global Root G2

NOTE: Most merchants will not be impacted by these changes. Review the following questions to determine if your integration is affected.


Technical Details

Certificate Details

DigiCert High Assurance EV Root CA
DigiCert Global Root G2
Sandbox Endpoints

Ready now
  • api.sandbox.paypal.com
  • api-3t.sandbox.paypal.com
  • api-aa.sandbox.paypal.com
  • api-aa-3t.sandbox.paypal.com
  • ipnpb.sandbox.paypal.com 
  • svcs.sandbox.paypal.com
  • pilot-payflowpro.paypal.com
  • pointofsale.sandbox.paypal.com

Production Endpoints

IMPORTANT: To minimize impact, we ask that merchants please ensure their trust stores contain the updated trusted roots.

Ready now
  • api.paypal.com 
  • www.paypal.com
  • svcs.paypal.com
  • api-3t.paypal.com
  • api-aa.paypal.com
  • api-aa-3t.paypal.com
  • pointofsale.paypal.com
  • payflowpro.paypal.com
  • ipnpb.paypal.com

FAQs


Do I need to have both the DigiCert High Assurance EV Root CA and DigiCert Global Root G2 root certificates in my trust store?
  • Yes, we recommend you have both the DigiCert High Assurance EV Root CA and DigiCert Global Root G2 root certificates in your trust store to successfully connect to PayPal production endpoints.

How do I know if I'm impacted by future changes to these certificates?
  • We make periodic updates to our root TLS provider for API traffic to align with security standards. For some integrations, this requires updating certificates that are pinned to PayPal-owned domains or updating certificate authorities (CA) and intermediaries associated with PayPal-owned domains. We do not recommend you follow this practice as we are unable to proactively contact you of upcoming changes that can impact your processing. If you still feel it is necessary for your integration, you should know that these certificates are subject to change, and the best way to be apprised of upcoming changes is to subscribe to email notifications via PayPal Status.

Where can I get the PayPal leaf certificates signed by the DigiCert root certificates?
  • PayPal leaf certificates are available for the Live, Sandbox, and Payflow environments. These certificates are for use with legacy implementations ONLY. Do NOT download or install them unless your integration requires an X.509 leaf certificate in your trust store.
  • Should you need any other PayPal leaf certificates not currently listed after this change, please use the following commands to retrieve them directly from our servers:
    echo -n | openssl s_client -connect <subdomain>.paypal.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > paypal.crt
    Followed by:
    openssl x509 -in paypal.crt -out paypal.pem -outform PEM