How To Verify That Your Server Meets New PayPal SSL Requirements
Stricter security standards are the norm and PayPal is upgrading the SSL certificates used to secure their sites and API endpoints. The new SSL certificates standards need to be signed using the SHA-256 algorithm and 2048-bit G5 Root Certificate. The changes were originally scheduled to take place by June 17, 2016. However, I believe that date has been extended to mid-October, 2016
Bottom line is that you should immediately verify your SSL Certs as PayPal’s service will discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.
Checking to see if your server supports the new standards is easy. Just log-in via SSH and run a single command:
openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts | egrep -wi “G5|return”
If your server is compliant, you’ll see something to the extent of the following:
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. – For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority – G5
Verify return code: 0 (ok)
In the output, you need to see two specific items mentioned:
A Certification Authority containing “G5”. Note that you may see several CA lines in your output; as long as G5 is included, your server is compliant.
A Verify return code of “0 (ok)”.
If you see both, your gold the server is compliant and no further action is needed. If you do not see these two items, then your server will need to have the G5 certificate bundle installed. Please contact URLJet Support to have it installed
PLEASE NOTE: CentOS 5 is not capable of supporting the new standard. If your server runs CentOS 5, it will need to be upgraded. Please contact the URLJet Support Team for the upgrade.