Migration to DigiCert Root Certificates

PayPal is upgrading the SSL/TLS certificates used to secure our web sites and API endpoints. The new certificates will use a trust chain signed by DigiCert root certificates. You will need to ensure that your environment supports connections that rely on these DigiCert root certificates.

The information that follows is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your e-commerce software provider
  • Your in-house web programmer/system administrator

In a Nutshell...

All major browser vendors, including GoogleApple and Firefox, plan to distrust legacy SSL/TLS certificates issued under the Symantec infrastructure. PayPal supports this change, and is upgrading the certificates used to secure our web sites and API endpoints. PayPal merchants may need to update their integration to ensure the following DigiCert root certificates are trust anchors for PayPal endpoints:
  • DigiCert Global Root G2
  • DigiCert High Assurance Extended Validation (EV) Root CA

NOTE: Most customers will not be impacted by these changes. These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and APIs.

What do I need to do?


NOTE: The clearest way to determine whether your system supports these requirements is to have a web developer or system administrator run a test of your integration using the PayPal Sandbox. A failure in testing with the Sandbox indicates you should review all the following information and upgrade your system’s environment.

Technical Details

Sandbox Endpoints

You can use these endpoints to verify that your code supports the required standards before the Production endpoints are updated. These endpoints are being configured with the latest security standards signed with the new DigiCert roots:

Ready Now
  • api.sandbox.paypal.com
  • www.sandbox.paypal.com
  • ipnpb.sandbox.paypal.com
  • mobileclient.sandbox.paypal.com
  • api-3t.sandbox.paypal.com
  • api-aa.sandbox.paypal.com
  • api-aa-3t.sandbox.paypal.com
  • svcs.sandbox.paypal.com
  • pilot-payflowpro.paypal.com
Production Endpoints

The following Production endpoints are being upgraded to certificates signed with the new DigiCert roots:

Ready Now
  • api.paypal.com
  • www.paypal.com
  • ipnpb.paypal.com
  • payflowlink.paypal.com
  • xml-reg.paypal.com
  • mobileclient.paypal.com
  • payments-reports.paypal.com

Ready in February 2019
  • api-3t.paypal.com
  • api-aa.paypal.com
  • api-aa-3t.paypal.com
  • svcs.paypal.com
  • pointofsale.paypal.com
  • payflowpro.paypal.com
Note: Brief test(s) may be run to verify functionality prior to final deployment, dates can be found here

Certificate Details

DigiCert Global Root G2
DigiCert High Assurance EV Root CA

FAQs

Where can I find out more about these changes? Do I need to remove the Symantec G5 root certificate before installing the DigiCert certificates?
  • No, we recommend you retain the Symantec G5 root certificate until all PayPal production sites have updated their certificates.

Where can I get the PayPal leaf certificates signed by the DigiCert root certificates?
  • PayPal leaf certificates are available for the LiveSandbox, and Payflow environments. These certificates are for use with legacy implementations ONLY. Do NOT download or install them unless your integration requires an X.509 leaf certificate in your trust store.