PayPal changing to DigiCert G2

Starbucksamore · 2 May 2024 18:34

Very long time user of S2Member PRO. And so appreciative of this software.

My question today (and I’m SO grateful for being able to ask), is PayPal Canada announced they are using Digicert Global Root G2 certificates and to update something in the API. I did a little research and the only answer I could come up with is adding the G2 root in the PEM format and adding it to the trust store for the API app.

I found the file but have no idea of what to do with it.

Is this actually going to be updated in the S2member PayPal API so I don’t have to be concerned about it?

Any help is appreciated. Thanks! Gillian

Cralamarre · 2 May 2024 20:15

Same email from Paypal, same question.

openmtbmap · 2 May 2024 23:02

I don’t think it matters except if you embed a PayPal form and use a CSP that has certs as condition.

Starbucksamore · 3 May 2024 01:38

Sorry I’m not sure what you mean. I use PayPal forms, etc. but I rely on S2Member to make the API connection etc.

I’m wondering from my original post if this update is somehow hardcoded by S2Member. Perhaps a moderator could answer?

openmtbmap · 3 May 2024 05:25

You use a content security policy? If not don’t worry I think

Cralamarre · 3 May 2024 13:04

So if I’m understanding correctly, PayPal was saying that anyone using a CSP needs to add PayPal’s new G2 certificate to the list of trusted certificates. But for those of us who don’t, there’s nothing that needs to be done. Life goes on.

openmtbmap · 4 May 2024 08:41

No that’s not what they’re saying, that’s what I guess may be an implication. There may be other implications but I guess that’s one that can inflict a few Webshop Sites. CSC is quite a common thing for bigger websites and security so PayPal needs to send a notice to all users. Especially as you cannot read the CSC of other websites.
There are other cases where certificates are only allowed for an API or ipn to be issued by one issuer to make sure it’s not forged and come from another issuer.

Starbucksamore · 10 May 2024 04:29

Bumping this to get a moderator from S2’s response please! Rather than guessing about this can I please have an answer. Thanks!

Cralamarre · 10 May 2024 13:42

Here is the message from PayPal. To be clear, there is no mention of updating anything regarding the API:

Following DigiCert’s direction, PayPal will start using Certificates issued from DigiCert Global Root G2 Chain . We are requesting you to add DigiCert Global Root G2 to truststores that are used to connect to with PayPal. PayPal will begin to use certificates with the Root G2 Chain from October 2024.

In the “More information” link included with PayPal’s message, it says:

No action is required unless you do any of the following:

Pin ICA/Root certificates

Hard-code the acceptance of ICA/Root certificates

Operate a trust store

Starbucksamore · 10 May 2024 13:56

This is where the API association came from -
Link here

This was from a PayPal engineer.

S2member uses PayPal’s API. My original question was whether S2 would be updated to reflect the new certificate that should be put in the trust category.

I’m a little disappointed at no mods or help during this time. I’ve been a long term user and installed S2 for many clients.

Cralamarre · 10 May 2024 14:23

Not important but in that link, it’s interesting that the engineer pointed out the same thing I noticed from PayPal’s message, which were the grammatical errors. I almost deleted the email as spam when I first read it because of the grammar.

Unfortunately the relationship between s2Member and PayPal (based on history) is that s2Member will continue to support PayPal for as long as it does, and then it won’t. So hopefully this is not something that needs to be updated.

openmtbmap · 11 May 2024 05:50

PayPal often has sent out messages not related to a majority. I think the cert change has happened already once or twice. Nothing to worry.