Paypal's new SHA2 requirement.

bear

Well-Known Member
Sep 24, 2002
129
4
168
cPanel Access Level
Root Administrator
I have a RapidSSL cert installed on a server. SHA256, 2048 bits. Paypal is complaining about an account on the server and stating this: "Discontinue support for secure connections that require validation with the VeriSign G2 Root Certificate". (see Paypal link below for details on the changes).

I don't deal with SSLs often, and can't seem to determine how to add or update the cert it's complaining about (searching failed me). AFAIK I don't need to reissue my server's certificate, just add an additional root CA bundle from Verisign. (info here)
How to do so and have it be recognized properly?

PayPal SSL Certificate Changes | PayPal & Braintree | Developer - Blog

If not, download the VeriSign Class 3 Public Primary Certification Authority – G5 root certificate, or download the endpoint-specific SSL certificates, and put these certificates in their keystore
 

sparek-3

Well-Known Member
Aug 10, 2002
1,984
218
343
cPanel Access Level
Root Administrator
Is the certificate in /etc/pki/tls/cert.pem (I believe this is the correct path for RedHat/CentOS/CloudLinux)

What does
Code:
cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5"
show?
 

bear

Well-Known Member
Sep 24, 2002
129
4
168
cPanel Access Level
Root Administrator
Here's the result:

Code:
# cat /etc/pki/tls/cert.pem | grep "VeriSign Class 3 Public Primary Certification Authority - G5"
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
To me, that looks like the right cert info, based on the link to the Verisign cert above. That leads me to think the application they're using isn't calling things properly and it's not the server that's the issue.
Still, knowing how to add to the cert store on the server would be helpful.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,211
363
Hello :)

SHA-256 has been the default in cPanel since version 11.46. Thus, any certificate data generated since your server utilized that version should be compliant. You can use a third-party utility to quickly check if your certificate is compliant:

CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker

You can always update a certificate with a new CRT or CABundle via:

"WHM Home » SSL/TLS » Install an SSL Certificate on a Domain"

Thank you.
 
Thread starter Similar threads Forum Replies Date
L Security 43