Skip to main content

Paypal's new SHA2 requirement.

bear
I have a RapidSSL cert installed on a server. SHA256, 2048 bits. Paypal is complaining about an account on the server and stating this: "Discontinue support for secure connections that require validation with the VeriSign G2 Root Certificate". (see Paypal link below for details on the changes). I don't deal with SSLs often, and can't seem to determine how to add or update the cert it's complaining about (searching failed me). AFAIK I don't need to reissue my server's certificate, just add an additional root CA bundle from Verisign. (info here) How to do so and have it be recognized properly? PayPal SSL Certificate Changes | PayPal & Braintree | Developer - Blog If not, download the VeriSign Class 3 Public Primary Certification Authority " G5 root certificate, or download the endpoint-specific SSL certificates, and put these certificates in their keystore

Comments

3 comments

Date Votes
  • sparek-3
    Is the certificate in /etc/pki/tls/cert.pem (I believe this is the correct path for RedHat/CentOS/CloudLinux) What does
    cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5"
    show?
    0
  • bear
    Here's the result:
    # cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5" Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    To me, that looks like the right cert info, based on the link to the Verisign cert above. That leads me to think the application they're using isn't calling things properly and it's not the server that's the issue. Still, knowing how to add to the cert store on the server would be helpful.
    0
  • cPanelMichael
    Hello :) SHA-256 has been the default in cPanel since version 11.46. Thus, any certificate data generated since your server utilized that version should be compliant. You can use a third-party utility to quickly check if your certificate is compliant: CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker You can always update a certificate with a new CRT or CABundle via: "WHM Home " SSL/TLS " Install an SSL Certificate on a Domain" Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post