VeriSign’s “Class 3 Public Primary – G5″, SHA-256, and Paypal

Posted on September 10, 2015

I received an email today from Paypal that pretty soon they will only be accepting connections secured with SHA-256 keys and Versign’s G5 root certificate.

The public Certificate Authority (CA) industry continues to improve the security of SSL certificates. In preparation for requiring the use of the SHA-256 signing algorithm in 2016, the VeriSign G2 Root Certificate that was historically used for connecting to PayPal API andInstant Payment Notification (IPN) endpoints will no longer be supported. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

They tell you to direct the email to your technical staff to take care of this issue.

That’s me… and I wasn’t sure what certificate(s) I had on CentOS/RHEL/SciLinux. It took some time to figure out if we were ready for the changes.

I used this bash script to address the G5 cert issue:

If you are using Ubuntu or Debian, change the path to /etc/ssl/certs/ca-certificates.crt

You should see the following if you have the certificate after running the above:

Now to verify if you have sha-256 compatibility, you can wget this site as well as cURL it via PHP:

Successful connection/download of the index page with “SHA-256 Compatibility Test Passed” means you should be good.