PayPal upgrading SSL Certificates in 2015

Timothy Kline

New Member
Received the following email this morning:

ACTION MAY BE REQUIRED: PayPal service upgrades for merchants.

[name redacted],

We’re contacting our merchants with some important information in response to an industry-wide security upgrade which is not unique to PayPal. This change involves upgrading Secure Sockets Layer (SSL) certificates over the course of 2015 and 2016.

Because these changes are technical in nature, we advise that you consult with your partner, website vendor, or individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. If you do not have a technology team, we recommend you find one, and we can work with them to ensure you continue to process payments through your current integration with PayPal.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.

Thanks for your patience as we continue to improve our services.​

In addition, I found this addressed on Zen Cart's forum:

PayPal's update is occurring in 2 stages: A VeriSign G2-to-G5 Root Certificate Upgrade, and then a SHA-256 SSL certificate.

And, strictly speaking, those changes have NO IMPACT on the PHP code used in Zen Cart. But they do affect underlying server technologies used on your webserver.

1. VeriSign Root Certificate Upgrade:
We've already tested Zen Cart against the PayPal sandbox, which is already using the Verisign G5 Root Certificate, and it works fine. But that's because the webservers we tested on already have the Verisign G5 Root Certificate authority files installed. Your host can help you with this. See the link below.

2. SHA-256 SSL certificate
PayPal isn't updating the "" endpoint (used in Zen Cart v1.3.x and v1.5.x) until June 2016 (and sandbox too, so we can't test that just yet; nevertheless, it's a server config thing, not a Zen Cart thing).
But in 2015 there is a big push for all webservers to start using SHA-256 SSL certificate chains. As such, you should ensure that your hosting company properly updates your server's SSL certificate store.​

My question is whether those of us who are using dedicated hosting through KH need to take any steps with our server to prepare for the changes, or if this is something that has been/will be handled specifically by KnownHost.

Thanks, in advance!
Timothy Kline
It's not specific to Dedi or VPS servers, and not even just PayPal. There's a change happening to SSL certificates in general over the entire internet to make them even more secure. If you paid for an SSL certificate your issuer should provide you with an updated certificate before these changes take place. KH will assist you with installing the new SSL cert. If you use chrome you may have noticed some websites recently had a warning next the the lock in the address bar to inform users of this exact change, many have already fixed their cert as it's relatively quick and easy to do.