The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Paypal's new SHA2 requirement.

Discussion in 'Security' started by bear, Oct 16, 2015.

  1. bear

    bear Well-Known Member

    Joined:
    Sep 24, 2002
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have a RapidSSL cert installed on a server. SHA256, 2048 bits. Paypal is complaining about an account on the server and stating this: "Discontinue support for secure connections that require validation with the VeriSign G2 Root Certificate". (see Paypal link below for details on the changes).

    I don't deal with SSLs often, and can't seem to determine how to add or update the cert it's complaining about (searching failed me). AFAIK I don't need to reissue my server's certificate, just add an additional root CA bundle from Verisign. (info here)
    How to do so and have it be recognized properly?

    PayPal SSL Certificate Changes | PayPal & Braintree | Developer - Blog

     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Is the certificate in /etc/pki/tls/cert.pem (I believe this is the correct path for RedHat/CentOS/CloudLinux)

    What does
    Code:
    cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5"
    show?
     
  3. bear

    bear Well-Known Member

    Joined:
    Sep 24, 2002
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Here's the result:

    Code:
    # cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5"
            Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
            Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    To me, that looks like the right cert info, based on the link to the Verisign cert above. That leads me to think the application they're using isn't calling things properly and it's not the server that's the issue.
    Still, knowing how to add to the cert store on the server would be helpful.
     
    #3 bear, Oct 16, 2015
    Last edited: Oct 16, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    SHA-256 has been the default in cPanel since version 11.46. Thus, any certificate data generated since your server utilized that version should be compliant. You can use a third-party utility to quickly check if your certificate is compliant:

    CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker

    You can always update a certificate with a new CRT or CABundle via:

    "WHM Home » SSL/TLS » Install an SSL Certificate on a Domain"

    Thank you.
     

Share This Page