I've been receiving notifications from PayPal that I need to update my integration to use SHA256 certificates.
I use PayPal's Encrypted Website Payments, with the EWP Services Kit (which they no longer seem to offer for download). I encrypt the payment buttons myself, in PHP, rather than using PayPal's button creation facility. PayPal's documentation for this still specifies 1024-bit keys:
Note the openssl commands in the above link:
openssl genrsa -out ps-prvkey.pem 1024
openssl req -new -key ps-prvkey.pem -x509 -days 365 -out ps-pubcert.pem
On the microsite describing the certificate change, it says this:
Q. How do I know if my integration is affected?
We are making changes to the Sandbox environments prior to any Live changes, so you can verify your integration against the Sandbox. If you see these or similar error messages in the Sandbox environment, you will need to update your integration before we make changes to our Live environment (per the timeline above).
I tested my integration against the sandbox, and it went through fine - no error messages. So I'm wondering if that truly means EWP sites don't have to update their certificates or (more likely), PayPal has neglected to document this.
QUESTION: Do I have to update my certificates? If so, I need the following information:
(1) What is the updated version of the openssl commands? Do I just replace 1024 with 2048?
(2) Do I need an updated version of the PayPal certificates (live and sandbox)? If so, where do I get them?
(3) When will the change be made for EWP integrations (the date)?
I've been all over the PayPal site, and I can't find this information anywhere.
It sounds like you are using PayPal Website Payments Standard, regardless of whether you encrypt the buttons or not. PayPal Website Payments Standard is unaffected by the SSL Upgrade by PayPal so no action is necessary on your part. More info here: https://devblog.paypal.com/paypal-ssl-certificate-changes/