G3 to G5 Root Certificate Question

S

schabotte

Verified User
Joined
Apr 19, 2007
Messages
22
Hi,

I need to make some updates to my server to meet the new paypal SSL requirements. One of them is the SHA-256 G5 certificate. I have a G3 certificate from Rapid SSL (issued through GeoTrust)

I asked them about this and they sent me the link to verisign: https://knowledge.verisign.com/supp...t/index?page=content&actp=CROSSLINK&id=SO5624

This link doesn't really seem right as it is an SHA-1 certificate but maybe I just don't understand what they mean by SHA-1?

Anyways, does anyone know the procedure to upgrade to G5?

This is my website so you can look at the public view of the current certificate which was generated with the default keys presented in DA

https://www.thehistoricalarchive.com/

If you need any other details to help, just let me know and I'll provide what I can.

Thanks,
Steven
 
I understand all that. But it doesn't answer the specific implementation questions I have.

1) What certificate in my domain do I replace - .cacert or .cert?

2) Does this replacement impact my SSL certificate in any way - i.e. do I need to get a new one that is somehow based on the Verisign cert?
 
Let's see how your server can communicate with PayPal. There are usual two ways:

1. Your server/site sends requests to PayPal API. And here you should make sure that you have modern and actual version of OpenSSL and cURL/PHP configured against it. Check with sandbox, as they suggest it. In other words if you run default Directadmin server then you are probably safe here if your OS version is for CentOS 6+, and Debian 7+. With older versions of OS you will most likely have issues, as they are shipped with OpenSSL <1.0.

2. Callbacks after a payment done. A PayPal server sends a request to your server. And it cares for a SSL/TLS cert on your server, check it here: https://www.ssllabs.com/ssltest/
You are most likely safe if you have grade A.
 
Thanks Alex.

I have Centos 6.7 and get an A at ssllabs.

The bit about the Verisign G5 is what threw me because I have the RapidSSL SHA256 CA - G3 so I guess even with that difference, I'll be OK come June.
 
Actually the version of openssl is
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
# lsb_release -d
Description: CentOS release 5.11 (Final)

Of course there is DirectAdmin, latest version

Compiled on CentOS 5.0
Compile Date Jun 9 2016, 02:22:18
Server Version 1.50.1
Current Available Version 1.501000

If I try to do a yum update openssl I get:
# yum update openssl
Loaded plugins: downloadonly, fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update

But I know there are other version after 0.9.8 ...
Do I have to remove opnessl from the exclude list and retry? how to do it?

Thanks for your help
 
For a lot of reasons this "Compiled on CentOS 5.0" is a to old version. ;)

https://wiki.centos.org/FAQ/CentOS5

8. How long will CentOS 5 be supported?

We intend to support CentOS 5 until Mar 31st, 2017 The current plan is this:

Full Updates (including hardware updates): Currently to Q4, 2012

Updates ( including minor hardware updates): Up to Q1 of 2014

Maintenance Updates Q1, 2011 - Mar 31st, 2017

Full Updates
During the Full Updates phase, new hardware support will be provided at the discretion of CentOS via Update Sets. Additionally, all available and qualified errata will be provided via Update Sets (or individually {and immediately} for Security level errata.) Update Sets normally will be released 2-4 times per year, with new ISOs released as part of each Update Set. In the 5.x numbering scheme, the .x is the number of the Update Set.
Maintenance Updates
During the Maintenance updates phase, only Security errata and select mission critical bug fixes will be released. There will be few, if any, Update Sets released.
Click to expand...
 
Last edited:
CentOS 5 doesn't have the latest OpenSSL in his yum repository, you may need to manually compile it or use the update.script (look for it in this forum).

Regards
 
Ok, i tryed that command and it work to me too in CentOS 5, but i've updated OpenSSL, what the output when you try the command?
Code: 
openssl s_client -connect sha2-test-api.sandbox.paypal.com:443

Regards
 
SeLLeRoNe said:
Ok, i tryed that command and it work to me too in CentOS 5, but i've updated OpenSSL, what the output when you try the command?
Code: 
openssl s_client -connect sha2-test-api.sandbox.paypal.com:443

Regards
Click to expand...

As reported in https://www.centos.org/forums/viewtopic.php?f=19&t=59027#p249280 :

openssl s_client -connect sha2-test-api.sandbox.paypal.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBX2gAwIBAgIQIr0zjsjG4wEyE7U6/TbdkjANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUyNDAwMDAwMFoX
DTE4MDUyNTIzNTk1OVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMUGF5UGFsLCBJbmMuMRow
GAYDVQQLDBFQYXlQYWwgUHJvZHVjdGlvbjEpMCcGA1UEAwwgU0hBMi10ZXN0LWFw
aS5zYW5kYm94LnBheXBhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQChdpp8j/yvoeq2pwzn5Aq9SV2NccS0daaiNe+QpZB1/Bj05TAco8XYm6GQ
/JG3XAnA9Unf0m4UveU59Q3lU8NzzPSo8rjuUOyMkfbzxitk1RIY97+x2pEtI8P9
q9D0qZ+fXdZXLmjx7gzZCDdiP6N6lcqIeXUFl6KGKkR24Q7JGS5m4dKSBfMcWfmD
iJoXvJmdhijbB02656AJRaoSamoF40dKzBldBVsK92U2PHvtmuUhujuxKT5l/5r9
sAYe5cf9yqUquZKIdHak9HtDUaWzYvOd2JNyB9gT1gMuZt05QevW/FnOlPGsbXyH
A0xrBIHVq0Ov+MUEgNCQSbqe8W6vAgMBAAGjggL3MIIC8zArBgNVHREEJDAigiBT
SEEyLXRlc3QtYXBpLnNhbmRib3gucGF5cGFsLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0g
BFowWDBWBgZngQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNv
bS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYD
VR0jBBgwFoAUX2DPYZBV34RDFIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYa
aHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsG
AQUFBzABhhNodHRwOi8vc3Muc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8v
c3Muc3ltY2IuY29tL3NzLmNydDCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFU5OcJuAAABAMARzBF
AiAv8/b/8Yyg6BY/DkcOW8Xgd3WUmhPK/HxLf9P8bhmWuQIhAKNBgdZY/NUZx8ww
cbba4YUBYUDoGsHCuhpYQAIY3JbxAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+4
43fNDsgN3BAAAAFU5OcJ0QAABAMARzBFAiEA6cnZYJ9ls2APmlAeGt7+3DYW4vNZ
8ZNsNsGp/LB9RfQCIDMq4bggIGo/u2tCxhkxUUbpj9MCfqueVnGPIIIYQctqAHYA
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFU5OcJ1gAABAMARzBF
AiALMmnEbKWb36JmSovA+StKTRqNbBAY6VqlqrnSru4xNAIhANX/puYyAD+CQ7ca
VX0KpvQSVzMpcNXJ1F8fjk0FOn2CMA0GCSqGSIb3DQEBCwUAA4IBAQCUowT7fC4O
LEBWIabeaWwAY1/Ju9ek3khwDpDUHSaPHlpO0L0pVv8zLNoNn1TRdXKPYGpiHTl6
EODCZU1FSCPBSDfEuLSkzH/b6OI7Y208wu5ztdIo+YSjDrB0fa2p85o5S9tyUsh7
PsmX6SwqdxzrCFUnZbYJN7wBcJc6L3tjF/9v4sdy9cWgTjJaYueP1/9aJO8qewRO
QQRgjr1vRM05ZPhw4AvdXPO4BRNhgQZ3M8qeZ07GjLO2AQBah0cBLUJTPyW0LGnU
sAZdNJlakJfuLq3Dbm0VFU5vLmfqVHtfjuBpZiHXwUWIoXBucSMIMs3mRJ8wF0ID
fqq/pgusdsTi
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/CN=sandbox_camerc ... paypal.com
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=stage1_certs/CN=stage1_camercha ... paypal.com
/C=US/ST=CA/L=San Jose/O=PayPal Inc./OU=Mobile Client Certificate Authority/CN=PayPal Sandbox Client CA/[email protected]
/CN=gtorel_1310486522_per_api1.paypal.com/L=Napoli/ST=Napoli/C=IT
/CN=Sandbox_RootCA/OU=PayPal Crypto Mgt/O=PayPal Inc./L=San Jose/ST=California/C=US
/CN=Sandbox_MerchantIssuingCA/OU=Platform Security/O=PayPal Inc./L=San Jose/ST=California/C=US
---
SSL handshake has read 4124 bytes and written 426 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 9E01CD86FA9DC503AD505F17E34C089B6DE725ED6C61E83EF2946F8858FDB6A5
Session-ID-ctx:
Master-Key: 62CD34F44857169F6909F8FEF0BFEABCF26BE73191D29546791F21E9A2601E54A8DF0544F0056FB7EE28D7AD7CC34251
Key-Arg : None
Krb5 Principal: None
Start Time: 1471970979
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
 
Have you tryed the SSL Labs test that Alex did propose?

What issue are you facing? It may be everything fine, do the SSL test and try with the Sandbox as Alex suggested to check if you actually have problems.

Regards
 
You must log in or register to reply here.
Back
Top